Re: Security hole: Digital Signing + Downloadable fonts

[PASZTOR Miklos <Miklos.Pasztor@xxxxxxx>]

 My guess is that people generally  want to sign their own material 
 produced on their PC, and not web pages and similar things downloaded 
 from anywhere.
 To tell the truth I do not see any reason to do that.

 Miklos
 ====================================================================
 Pa'sztor Miklo's            | E-mail: pasztor@sztaki.hu
 MTA SZTAKI/ASZI Budapest
 1132 V. Hugo u. 18-22       | Tel:  (36)-(1)-149-75-32
 Institute for Computation and Automation,
 Hungarian Academy of Sciences
 ====================================================================

On Thu, 5 Dec 1996, Carl Ellison wrote:

[...]
|
|This is an interesting problem which we should address in W3C DSig, if the
|signed document includes a reference to the font with which it should be
|displayed.  In that case, the document should give not only the address of
|the font but also the hash of the font.
|
|However, there is a more general issue -- that any page is viewed through a
|piece of software, running on something other than a trusted computing
|base.  How can you trust anything then?
|
|How much is our signature and certification work actually building a bank
|vault door on a cardboard box?
|
| - Carl
|
|
|+------------------------------------------------------------------+
||Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
||CyberCash, Inc.                      http://www.cybercash.com/    |
||207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
||Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
|+------------------------------------------------------------------+
|