From d5b474e22836f510c74c90adf710fe8bda84b90a Mon Sep 17 00:00:00 2001 From: Eugene Medvedev Date: Sat, 24 Jun 2023 20:07:32 +0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20Observation.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 44f9580..77bc79a 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,10 @@ There is currently no way for us to know if a user's certificate has been revoke Similarly, there is no way to prevent someone from using an expired certificate, since they can set the clock to what they want. +### Privacy + +The certificate, as issued by LoTW, embeds the email address you used with LoTW -- I am not certain whether it is the address they had on file at the time they issued your certificate, or the address you registered with initially. While `lotw-trust` does not display this information anywhere or even access it, it's there, and anyone sufficiently crafty can extract it from the signature block of a file you signed. There is nothing I can do to prevent this. + ### General caveats I am not a cryptographer, I am a sociologist. Golang is not my best language, it's just the one that got me the result the quickest, while still allowing to easily make a cross-platform tool.