Comment 3 for bug 1003962

We don't on the first pass. If 8 hours is too long for policy, make it shorter.

This is the approach followed by Kerberos, and it has been fairly successful.

I have a write up for a Revocation scheme should we need it, but I think it unnecessarily complicates the system.

Note that I think if we use PKI signed token authentication, we should remove the ability to do token chaining, where one token is allowed to request the next without the user re-authenticating themselves manually, as that is a huge security hole.