trustno1

5 years ago · 5e921b566f
parent 1fd6865996
commit 5e921b566f
1 changed files with 4 additions and 0 deletions
--- a/docs/security.txt
+++ b/docs/security.txt
@ -5,6 +5,10 @@ honk is not currently hardened against SSRF, server side request forgery. Be
 mindful of what else may be reachable on localhost or the local network if
 it's not generally accessible.

+Key and signature verification is best effort, but some forgeries may sneak
+past. In particular, tying together key name, key owner, actor, object, etc.
+is incomplete.
+
 How are user keys supposed to be rotated? Expired? Revoked?

 The current answer is never, never, never.