Re: Security hole: Digital Signing + Downloadable fonts

[Carl Ellison <cme@xxxxxxxxxxxxx>]

At 11:57 AM 12/5/96 +0000, Bob Briscoe wrote:
>Downloadable fonts have been added to the Web infrastructure, particularly
>to support internationalisation. Indeed it is very common and now enabled
>for, say an E. Asian document to specify downloading a sub-set of a Latin
>font to display a Latin fragment (e.g. a quote).
>
>Same technique could be used to specify that a message of any charset
>should download a font for the numeric digits with, say, all the digits
>mapped to glyphs looking like either <SPACE> 0, 1, 2 or 3 .
>
>You sign an order that appears to be for UKP  112.30, but you have actually
>signed a message that commits you to pay UKP96324.75

This is an interesting problem which we should address in W3C DSig, if the
signed document includes a reference to the font with which it should be
displayed.  In that case, the document should give not only the address of
the font but also the hash of the font.

However, there is a more general issue -- that any page is viewed through a
piece of software, running on something other than a trusted computing
base.  How can you trust anything then?

How much is our signature and certification work actually building a bank
vault door on a cardboard box?

 - Carl


+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+