[insanitybit]

> Is there an argument for why non-expiring tokens are a bad idea that I'm missing here?

Because people leave tokens around that are no longer used and forget about them, of course.

[withinboredom]

Ok. But 1 year means I have less than a year, then less than a year again, then less than a year again. Can’t even do one month and just do the first of every month. These expiration times make no sense, or they make sense for machines but not humans.

[insanitybit]

You don't have to revoke a key as soon as it is rotated. If you rotate every week you can have a job that runs every week, offset by one day, to revoke.

[withinboredom]

Right, but there’s no way to do that on the same day every year, or even the “first Tuesday of every June” because that may or may not always fall within a year.

Also, these tokens have to be rotated by a human. So weekly is way too often.

[insanitybit]

> Right, but there’s no way to do that on the same day every year, or even the “first Tuesday of every June” because that may or may not always fall within a year.

Why would that matter?

[withinboredom]

Because we are humans. If I say “see you in a year” that doesn’t mean a year to the second.

[insanitybit]

I don't understand the problem here. You can have a separate revocation schedule.

[robertlagrant]

> If you rotate every week you can have a job that runs every week, offset by one day, to revoke.

This might be a silly question, but how do you authenticate that revoke?

[insanitybit]

Usually tokens have the right to revoke themselves or you have a separate system like Vault that manages revocation.

[simonw]

I think what I want here is a token which expires if it hasn't been used for six months.