diff --git a/OpenPGP-Security.md b/OpenPGP-Security.md
index c62c183..1857e35 100644
--- a/OpenPGP-Security.md
+++ b/OpenPGP-Security.md
@@ -52,7 +52,9 @@ No real argument here. Just shows that OpenPGP is complex.
 TODO: Yes we must do this. Important TODO
 
 ## No support for Image Attribute Subpackets
-In about 99% of all use cases there are better photos to be found in Android's contact database. Photos are displayed only if a key has been confirmed, otherwise this could lead the user into a false sense of security.
+In about 99% of all use cases there are better photos to be found in Android's contact database. Photos from Android's contact database are displayed only if a key has been confirmed, otherwise this could lead the user into a false sense of security. It is also not clear what a certification of an Image Attribute Subpacket would semantically mean. This is not specified in RFC 4880. Other applications such as [Kleopatra](https://www.kde.org/applications/utilities/kleopatra/) also doesn't support this subpackets.
+
+
 
 ## Key IDs aren't displayed
 * Short key IDs (last 32 bits of the key's fingerprint) are trivially to replicate via a [preimage attack](https://en.wikipedia.org/wiki/Preimage_attack).