<div dir="ltr">Good points.<br><br>> Another scenario: someone tcpdumps my traffic (yes, somehow they
have the SSL cert, work with this assumption for now). They can come
back <span class="gmail-aBn" tabindex="0"><span class="gmail-aQJ">3 days from now</span></span>,
browse the tcpdump output, and renew the token. That would not be
possible with a short-lived token and no renewal past expiration.<div><br></div><div>Renewal with expired tokens isn't being proposed. This is a straw man argument.<br></div></div>