[Cryptography] Possible reason why password usage rules are such a mess
Kent Borg
kentborg at borg.org
Thu Mar 5 23:53:36 EST 2020
On 3/5/20 2:36 PM, Radia Perlman wrote:
> I've never heard a good technical explanation for requiring periodic
> password changes, but wouldn't all the arguments about why it's silly
> to require frequent password changes apply to requiring certificate
> renewals?
I've only created self-signed certificates...and I have always picked a
date far further into the future than the computer in question would
still be functioning.
> why does my driver's license, which proves who I am, not work for
> getting on an airplane if the license is expired...I can understand if
> they won't let me fly the plane with an expired driver's license, but
> I'm just planning on being a passenger.)
A good reason, a bad reason, and a pedantic reason:
1) Your appearance changes over time, so a new photo is smart,
2) To raise money--not renewals without a new photo are sometimes
allowed, and
3) When the rule says the credential is not valid then it is not valid
(makes for simpler, more robust protocols to have fewer special cases,
and to heck with common sense*).
Like rules about "authentication words" that carry over to new
circumstances and persist for years: an original reason (new photo, test
vision, verify address, etc.) find a new motivation (revenue).
-kb
* Interesting to look at "common sense" might seem like an agile as a
both a attack vector and an agile response. Drop your phone in the
airplane toilet, not realize it is your own, report it to the flight
attendant as suspicious and that can start a procedure that cannot be
stopped. "Oh, I realize that was MY phone. No biggie." "Sorry, we
already set the transponder to 7500, we now have to follow the protocol.".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200305/98e89aa9/attachment.htm>
More information about the cryptography
mailing list