RE: Unicode and Security

From: Christopher J Fynn (cfynn@druknet.net.bt)
Date: Thu Feb 07 2002 - 07:33:26 EST


John Hudson wrote:

> I can make an OpenType font for that uses contextual substitution to
> replace the phrase 'The licensee also agrees to pay the type designer
> $10,000 every time he uses the lowercase e' with a series of invisible
> non-spacing glyphs. Of course, the backing store will contain my
> dastardly
> hidden clause and that is the text the unwitting victim will
> electronically
> sign. Hahahaha, he laughed maniacally!

How about a font that displays any number following a dollar sign as only
10% of the actual value in the backing text?

As John pointed out, this sort of thing isn't a Unicode problem. One could
just as easily employ the same kind of hidden rendering rules with ASCII
text. The only way to prevent this sort of fraud altogether would be to
throw out complex script rendering and encode glyphs not characters... I
don't think anyone seriously wants to go back down that route and anyway it
would probably take decades and a huge effort to make such a standard
properly covering all the scripts already in Unicode - and there would
undoubtedly still be other problems.

There are plenty of ways paper documents can be altered, added to or just
plain forged by someone intent on fraud - some of them extremely difficult
to detect. I don't know, but it's probably safest to assume that the
situation is similar with electronic documents - whatever security systems
are in place. That's one reason why you should always keep a duplicate copy
of any contract you sign - whether its an electronic document you digitally
sign or a paper document you sign with a pen.

- Chris



This archive was generated by hypermail 2.1.2 : Thu Feb 07 2002 - 07:08:40 EST