[Cryptography] Possible reason why password usage rules are such a mess

Jerry Leichter leichter at lrw.com
Thu Mar 5 16:37:31 EST 2020 

> I've never heard a good technical explanation for requiring periodic password changes, but wouldn't all the arguments about why it's silly to require frequent password changes apply to requiring certificate renewals?
There are arguments to be made for requiring certificate renewals, such as making sure that people aren't using 512-bit RSA keys any more.  But I'll agree the arguments are weak.  Mainly, this is a way to ensure the CA's have a viable business model:  If certs are "one and done" how long would CA's be around?

There is another valid argument for having certs expire:  When the expiration dates are short enough, you get an effect that's equivalent to CRL's, but without some of the headaches.  However, this hasn't been a practical use case until automated renewal of certs became easy.

> (and while we're at it, though I don't want to distract from the "why must certificates be periodically renewed" question...why does my driver's license, which proves who I am, not work for getting on an airplane if the license is expired...I can understand if they won't let me fly the plane with an expired driver's license, but I'm just planning on being a passenger.)
This has been around *forever*.  I remember that my sister tried to provide her college ID to someone, but they rejected it because she'd just graduated and it had expired.  Her comment at the time was "it may have expired, but I haven't!"

Meanwhile, if you've traveled in the last 5-10 years (I don't know when this changed), not only must your passport not be expired - it must not expire within 6 months of when you start your trip.  The only explanation I can come up with that is that it's a stealth way of reducing passport lifetimes by 5%, forcing you to pay the fees again.

And don't get me started on the completely absurd paperwork requirements for "enhanced ID" driver's licenses.  The first time I tried to get one, I had three pieces of (computer printed, non-canceled) mail (what does that prove?) to prove residence - but one was more than 3 months old, and another had my first name as Jerry rather than Jerrold.  So sorry, you lose, come back again later.

                                                        -- Jerry

More information about the cryptography mailing list