doc: updated text on session tickets

2 files changed, 11 insertions, 2 deletions

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index 5098b99407..a2e0e08f2c 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -1372,7 +1372,9 @@ for expiration.
 A server utilizing tickets should generate ticket encryption
 and authentication keys using @funcref{gnutls_session_ticket_key_generate}.
 Those keys should be associated with the GnuTLS session using
-@funcref{gnutls_session_ticket_enable_server}.
+@funcref{gnutls_session_ticket_enable_server}, and should be rotated regularly
+(e.g., every few hours), to prevent them from becoming long-term keys which
+if revealed could be used to decrypt all previous sessions.
 
 @showfuncdesc{gnutls_session_ticket_enable_server}
 @showfuncdesc{gnutls_session_ticket_key_generate}
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index ba4af097ba..f45b49fcfa 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -437,7 +437,14 @@ to the client. Because session parameters are sensitive they are encrypted
 and authenticated with a key only known to the server and then sent to the
 client. The Session Tickets extension is described in RFC 5077 @xcite{TLSTKT}.
 
-Since version 3.1.3 GnuTLS clients transparently support session tickets.
+A disadvantage of session tickets is that they eliminate the effects of
+forward secrecy when a server uses the same key for long time. That is,
+the secrecy of all sessions on a server using tickets depends on the ticket
+key being kept secret. For that reason server keys should be rotated and discarded
+regularly.
+
+Since version 3.1.3 GnuTLS clients transparently support session tickets,
+unless the PFS session string is specified.
 
 @node HeartBeat
 @subsection HeartBeat