diff --git a/docs/security.txt b/docs/security.txt
index e4e7df8..f09f362 100644
--- a/docs/security.txt
+++ b/docs/security.txt
@@ -5,6 +5,10 @@ honk is not currently hardened against SSRF, server side request forgery. Be
 mindful of what else may be reachable on localhost or the local network if
 it's not generally accessible.
 
+Key and signature verification is best effort, but some forgeries may sneak
+past. In particular, tying together key name, key owner, actor, object, etc.
+is incomplete.
+
 How are user keys supposed to be rotated? Expired? Revoked?
 
 The current answer is never, never, never.