I noticed Adobe had some new documents up on the "Digital Publishing Technology" section of their website, including the intriguingly-named "
Protecting Embedded Fonts in EPUB Documents." It does in fact describe what the title suggests -- how the EPUB files produced by InDesign "encrypt" embedded fonts and how Adobe DE reads them back. And yep, the method is XOR -- just XOR the first 1024 bytes of the font-files with the big-endian form of the first "urn:uuid:" <dc:identifier/> in the OPF metadata.
I'm trying to decide what I think of this. It isn't going to prevent a single EPUB reading application author from being able to load embedded fonts, but it probably will stop people from just casually yanking copyrighted OpenType fonts out of random e-books. I think it may actually be quite clever of them.