From 2e1bda3e5dfbb0dde5bc1694da5a4e35917ebe2f Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 25 Feb 2026 12:46:41 -0800 Subject: [PATCH 1/2] Reduce maximum allowed valid authorization lifetime --- ra/ra.go | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/ra/ra.go b/ra/ra.go index c3f3b2ee336..44843a38abd 100644 --- a/ra/ra.go +++ b/ra/ra.go @@ -318,20 +318,28 @@ func NewValidationProfiles(defaultName string, configs map[string]*ValidationPro profiles := make(map[string]*validationProfile, len(configs)) for name, config := range configs { - // The Baseline Requirements v1.8.1 state that validation tokens "MUST - // NOT be used for more than 30 days from its creation". If unconfigured - // or the configured value pendingAuthorizationLifetimeDays is greater - // than 29 days, bail out. + // The Baseline Requirements v2.2.5 state that a validation token (Random + // Value) "MUST NOT be used more than 30 days from its creation". If + // unconfigured or the configured value pendingAuthorizationLifetimeDays is + // greater than 29 days, bail out. if config.PendingAuthzLifetime.Duration <= 0 || config.PendingAuthzLifetime.Duration > 29*(24*time.Hour) { return nil, fmt.Errorf("PendingAuthzLifetime value must be greater than 0 and less than 30d, but got %q", config.PendingAuthzLifetime.Duration) } - // Baseline Requirements v1.8.1 section 4.2.1: "any reused data, document, - // or completed validation MUST be obtained no more than 398 days prior - // to issuing the Certificate". If unconfigured or the configured value is - // greater than 397 days, bail out. - if config.ValidAuthzLifetime.Duration <= 0 || config.ValidAuthzLifetime.Duration > 397*(24*time.Hour) { - return nil, fmt.Errorf("ValidAuthzLifetime value must be greater than 0 and less than 398d, but got %q", config.ValidAuthzLifetime.Duration) + // Baseline Requirements v2.2.5, Section 4.2.1: "any data, document, or + // completed validation used MUST be obtained within the maximum number of + // days prior to issuing the Certificate, as defined in the following...: + // 2026-03-15: 200 days; 2027-03-15: 100 days; 2029-03-15: 10 days" + // + // Our CP/CPS, v6.0, Section 4.2.1: "Certificate information is verified + // using data and documents obtained no more than 90 days prior to issuance + // of the Certificate." + // + // If unconfigured or the configured value is greater than 89 days, bail + // out. + // TODO before 2029-03-15: Update this to 9 days. + if config.ValidAuthzLifetime.Duration <= 0 || config.ValidAuthzLifetime.Duration > 89*(24*time.Hour) { + return nil, fmt.Errorf("ValidAuthzLifetime value must be greater than 0 and less than 89d, but got %q", config.ValidAuthzLifetime.Duration) } if config.MaxNames <= 0 || config.MaxNames > 100 { From a93d09b1ef411508eaef7037fb3a08e426cb4f9f Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 25 Feb 2026 12:52:27 -0800 Subject: [PATCH 2/2] Update unit tests --- ra/ra_test.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ra/ra_test.go b/ra/ra_test.go index 3a278657f58..39c5dd3ea1b 100644 --- a/ra/ra_test.go +++ b/ra/ra_test.go @@ -368,16 +368,16 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho testKeyPolicy, err := goodkey.NewPolicy(nil, nil) test.AssertNotError(t, err, "making keypolicy") - profiles := &validationProfiles{ - defaultName: "test", - byName: map[string]*validationProfile{"test": { - pendingAuthzLifetime: 7 * 24 * time.Hour, - validAuthzLifetime: 300 * 24 * time.Hour, - orderLifetime: 7 * 24 * time.Hour, - maxNames: 100, - identifierTypes: []identifier.IdentifierType{identifier.TypeDNS}, - }}, - } + profiles, err := NewValidationProfiles("test", map[string]*ValidationProfileConfig{ + "test": { + PendingAuthzLifetime: config.Duration{Duration: 7 * 24 * time.Hour}, + ValidAuthzLifetime: config.Duration{Duration: 30 * 24 * time.Hour}, + OrderLifetime: config.Duration{Duration: 7 * 24 * time.Hour}, + MaxNames: 100, + IdentifierTypes: []identifier.IdentifierType{identifier.TypeDNS}, + }, + }) + test.AssertNotError(t, err, "making validation profiles") ra := NewRegistrationAuthorityImpl( fc, log, stats,