doc update

1 files changed, 9 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index fe9e94c7b9..6a87a4fb13 100644
--- a/NEWS
+++ b/NEWS
@@ -18,11 +18,15 @@ See the end for copying conditions.
 ** libgnutls: Added new APIs to access the FIPS186-4 (Shawe-Taylor based) provable
    RSA and DSA parameter generation from a seed.
 
-** libgnutls: On a rehandshake ensure that the certificate of the peer (if
-   available) is the same as in previous handshakes. That is to protect
-   applications which do not check user credentials on rehandshakes from
-   attacks related to unsafe renegotiation. This can be overriden using
-   the %GNUTLS_ALLOW_ID_CHANGE flag in gnutls_init().
+** libgnutls: On a rehandshake ensure that the certificate of the peer or
+   its username remains the same as in previous handshakes. That is to protect
+   applications which do not check user credentials on rehandshakes. The
+   threat to address depends on the application protocol. Primarily it
+   protects against applications which authenticate the peer initially and
+   perform accounting using the session's information, from being misled
+   by a rehandshake which switches the peer's identity. Applications can
+   disable this protection by using the %GNUTLS_ALLOW_ID_CHANGE flag in
+   gnutls_init().
 
 ** libgnutls: Be strict in TLS extension decoding. That is, do not tolerate
    parsing errors in the extensions field and treat it as a typical Hello