Reduce maximum allowed valid authorization lifetime

ra/ra.go

@@ -318,20 +318,28 @@ func NewValidationProfiles(defaultName string, configs map[string]*ValidationPro
 	profiles := make(map[string]*validationProfile, len(configs))
 
 	for name, config := range configs {
-		// The Baseline Requirements v1.8.1 state that validation tokens "MUST
-		// NOT be used for more than 30 days from its creation". If unconfigured
-		// or the configured value pendingAuthorizationLifetimeDays is greater
-		// than 29 days, bail out.
+		// The Baseline Requirements v2.2.5 state that a validation token (Random
+		// Value) "MUST NOT be used more than 30 days from its creation". If
+		// unconfigured or the configured value pendingAuthorizationLifetimeDays is
+		// greater than 29 days, bail out.
 		if config.PendingAuthzLifetime.Duration <= 0 || config.PendingAuthzLifetime.Duration > 29*(24*time.Hour) {
 			return nil, fmt.Errorf("PendingAuthzLifetime value must be greater than 0 and less than 30d, but got %q", config.PendingAuthzLifetime.Duration)
 		}
 
-		// Baseline Requirements v1.8.1 section 4.2.1: "any reused data, document,
-		// or completed validation MUST be obtained no more than 398 days prior
-		// to issuing the Certificate". If unconfigured or the configured value is
-		// greater than 397 days, bail out.
-		if config.ValidAuthzLifetime.Duration <= 0 || config.ValidAuthzLifetime.Duration > 397*(24*time.Hour) {
-			return nil, fmt.Errorf("ValidAuthzLifetime value must be greater than 0 and less than 398d, but got %q", config.ValidAuthzLifetime.Duration)
+		// Baseline Requirements v2.2.5, Section 4.2.1: "any data, document, or
+		// completed validation used MUST be obtained within the maximum number of
+		// days prior to issuing the Certificate, as defined in the following...:
+		// 2026-03-15: 200 days; 2027-03-15: 100 days; 2029-03-15: 10 days"
+		//
+		// Our CP/CPS, v6.0, Section 4.2.1: "Certificate information is verified
+		// using data and documents obtained no more than 90 days prior to issuance
+		// of the Certificate."
+		//
+		// If unconfigured or the configured value is greater than 89 days, bail
+		// out.
+		// TODO before 2029-03-15: Update this to 9 days.
+		if config.ValidAuthzLifetime.Duration <= 0 || config.ValidAuthzLifetime.Duration > 89*(24*time.Hour) {
+			return nil, fmt.Errorf("ValidAuthzLifetime value must be greater than 0 and less than 89d, but got %q", config.ValidAuthzLifetime.Duration)
 		}
 
 		if config.MaxNames <= 0 || config.MaxNames > 100 {

ra/ra_test.go

@@ -368,16 +368,16 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
 	testKeyPolicy, err := goodkey.NewPolicy(nil, nil)
 	test.AssertNotError(t, err, "making keypolicy")
 
-	profiles := &validationProfiles{
-		defaultName: "test",
-		byName: map[string]*validationProfile{"test": {
-			pendingAuthzLifetime: 7 * 24 * time.Hour,
-			validAuthzLifetime:   300 * 24 * time.Hour,
-			orderLifetime:        7 * 24 * time.Hour,
-			maxNames:             100,
-			identifierTypes:      []identifier.IdentifierType{identifier.TypeDNS},
-		}},
-	}
+	profiles, err := NewValidationProfiles("test", map[string]*ValidationProfileConfig{
+		"test": {
+			PendingAuthzLifetime: config.Duration{Duration: 7 * 24 * time.Hour},
+			ValidAuthzLifetime:   config.Duration{Duration: 30 * 24 * time.Hour},
+			OrderLifetime:        config.Duration{Duration: 7 * 24 * time.Hour},
+			MaxNames:             100,
+			IdentifierTypes:      []identifier.IdentifierType{identifier.TypeDNS},
+		},
+	})
+	test.AssertNotError(t, err, "making validation profiles")
 
 	ra := NewRegistrationAuthorityImpl(
 		fc, log, stats,