Right now we're setting base::Time::Now() in authpolicy.cc, but that depends on the system clock and can run backwards. For policy validation, though, we need a timer that can never run backwards. That way, we could validate that no old version of a policy is used.