[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ft-devel] DSIG - Re: Freetype-devel Digest, Vol 130, Issue 8

From: Hin-Tak Leung
Subject: Re: [ft-devel] DSIG - Re: Freetype-devel Digest, Vol 130, Issue 8
Date: Tue, 10 Nov 2015 07:37:31 +0000

On Tue, Nov 10, 2015 4:21 AM GMT Werner LEMBERG wrote:

> But I think signing is a good thing - not from the security point
> of view, but of making font designers (or rather, font modifiers)
> less callous about doing ad hoc modification of fonts. I think
> requiring signing - or even just *showing* the DSIG status - of
> fonts would improve the general quality of them.
> There's water under that bridge already.  Neither WOFF nor WOFF2
> maintain the exact byte sequence in a font.
>And integrity checks at installation time can be easily done with an
>external MD5 or sha256 checksum, which is far easier to handle.

DSIG is equivalent to having an internal md5 or sha1 checksum (i have only seen 
these two used, but up to 7 other digest algorithms are allowed, if i read the 
spec correctly) as well as saying 'who' did the checksum, so it is marginally 
better, though yes, neither generating such nor verifying such is easy at the 
moment... Hopefully this will improve soon.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]