[Cryptography] IDs and licenses, not Possible reason why password usage rules
John Levine
johnl at iecc.com
Fri Mar 6 21:03:07 EST 2020
In article <ad682ff8-e773-2496-e17b-d7536dac435d at symas.com> you write:
>John Levine wrote:
>> In article <abf9eebe-5e85-98ed-4ecc-1f64827ee5b0 at symas.com> you write:
>>> The discussion here is why you can't use an expired photo ID for travel.
>>> Doesn't matter whether it's a driver's license or some other government
>>> issued ID.
>>
>> Here's a simple thought experiment. [ get on a plane with revoked but unexpired license ]
>This is the same scenario as browsing to a website with an expired TLS cert.
>Most of the time it will be safe to ignore the fact that it's expired, and
>continue browsing. But it presents an opportunity for hijacking the site,
>which is why current browsers won't let you proceed (without extra hassle).
I imagine most of us are pretty bored by this but I want to go one more round
because I still see confusion about licenses, IDs, and that it matters what
you're trying to identify.
I hope it's obvious why using a revoked unexpired license as an ID is
nothing like an expired SSL certificate -- one still says it's valid,
the other doesn't. The person validating a plane ticket doesn't check
whether the license is revoked because for this application IT DOESN'T
MATTER. I'm still me whether or not I'm allowed to drive.
The threat model for human IDs and web certificates are rather
different. People do not change identities from year to year -- if I
am me today I was in previous decades, and will continue to be me
until I die. That's why the UK can issue licenses good until you're
75, an age presumably chosen as when people need their eyes retested.
Web sites aren't like that. Domains expire and are sold and recycled.
Back when CA's took the PKI model seriously (the 1990s) they went to
considerable effort to validate the real world identity of anyone
applying for a cert, and put that identity info into the cert. We saw
a brief resurgence of that with EV certificates. That's why it did
make some sense to expire and reissue certificates periodically to
recheck whether the package of identity info is still valid.
Now, of course, CAs do no more than check that the party applying for
the cert has some minimal control over the domain name. The only
reason I can see for expiring them is that it's the lazy way to fake
revocation lists.
R's,
John
More information about the cryptography
mailing list