diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go
index 4c0e4f1d..1c41f325 100644
--- a/gen/pb-go/common/v1/sigstore_common.pb.go
+++ b/gen/pb-go/common/v1/sigstore_common.pb.go
@@ -453,7 +453,7 @@ type PublicKey struct {
 	RawBytes []byte `protobuf:"bytes,1,opt,name=raw_bytes,json=rawBytes,proto3,oneof" json:"raw_bytes,omitempty"`
 	// Key encoding and signature algorithm to use for this key.
 	KeyDetails PublicKeyDetails `protobuf:"varint,2,opt,name=key_details,json=keyDetails,proto3,enum=dev.sigstore.common.v1.PublicKeyDetails" json:"key_details,omitempty"`
-	// Optional validity period for this key.
+	// Optional validity period for this key, *inclusive* of the endpoints.
 	ValidFor *TimeRange `protobuf:"bytes,3,opt,name=valid_for,json=validFor,proto3,oneof" json:"valid_for,omitempty"`
 }
 
@@ -931,8 +931,8 @@ func (x *X509CertificateChain) GetCertificates() []*X509Certificate {
 	return nil
 }
 
-// The time range is half-open and does not include the end timestamp,
-// i.e [start, end).
+// The time range is closed and includes both the start and end times,
+// (i.e., [start, end]).
 // End is optional to be able to capture a period that has started but
 // has no known end.
 type TimeRange struct {
diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
index 5aa908d6..d959eeb9 100644
--- a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
+++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
@@ -133,7 +133,10 @@ type CertificateAuthority struct {
 	CertChain *v1.X509CertificateChain `protobuf:"bytes,3,opt,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
 	// The time the *entire* chain was valid. This is at max the
 	// longest interval when *all* certificates in the chain were valid,
-	// but it MAY be shorter.
+	// but it MAY be shorter. Clients MUST check timestamps against *both*
+	// the `valid_for` time range *and* the entire certificate chain.
+	//
+	// The TimeRange should be considered valid *inclusive* of the endpoints.
 	ValidFor *v1.TimeRange `protobuf:"bytes,4,opt,name=valid_for,json=validFor,proto3" json:"valid_for,omitempty"`
 }
 
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py
index bc8ceed7..a0cbef10 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py
@@ -135,7 +135,7 @@ class PublicKey(betterproto.Message):
     valid_for: Optional["TimeRange"] = betterproto.message_field(
         3, optional=True, group="_valid_for"
     )
-    """Optional validity period for this key."""
+    """Optional validity period for this key, *inclusive* of the endpoints."""
 
 
 @dataclass(eq=False, repr=False)
@@ -216,8 +216,8 @@ class X509CertificateChain(betterproto.Message):
 @dataclass(eq=False, repr=False)
 class TimeRange(betterproto.Message):
     """
-    The time range is half-open and does not include the end timestamp, i.e
-    [start, end). End is optional to be able to capture a period that has
+    The time range is closed and includes both the start and end times, (i.e.,
+    [start, end]). End is optional to be able to capture a period that has
     started but has no known end.
     """
 
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
index fca622d2..facb523a 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
@@ -57,6 +57,9 @@ class CertificateAuthority(betterproto.Message):
     """
     The time the *entire* chain was valid. This is at max the longest interval
     when *all* certificates in the chain were valid, but it MAY be shorter.
+    Clients MUST check timestamps against *both* the `valid_for` time range
+    *and* the entire certificate chain. The TimeRange should be considered
+    valid *inclusive* of the endpoints.
     """
 
 
diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts
index 082bb8de..db015dd6 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_common.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts
@@ -225,7 +225,7 @@ export interface PublicKey {
     | undefined;
   /** Key encoding and signature algorithm to use for this key. */
   keyDetails: PublicKeyDetails;
-  /** Optional validity period for this key. */
+  /** Optional validity period for this key, *inclusive* of the endpoints. */
   validFor?: TimeRange | undefined;
 }
 
@@ -299,8 +299,8 @@ export interface X509CertificateChain {
 }
 
 /**
- * The time range is half-open and does not include the end timestamp,
- * i.e [start, end).
+ * The time range is closed and includes both the start and end times,
+ * (i.e., [start, end]).
  * End is optional to be able to capture a period that has started but
  * has no known end.
  */
diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
index a96c8b6f..281fe929 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
@@ -55,7 +55,10 @@ export interface CertificateAuthority {
   /**
    * The time the *entire* chain was valid. This is at max the
    * longest interval when *all* certificates in the chain were valid,
-   * but it MAY be shorter.
+   * but it MAY be shorter. Clients MUST check timestamps against *both*
+   * the `valid_for` time range *and* the entire certificate chain.
+   *
+   * The TimeRange should be considered valid *inclusive* of the endpoints.
    */
   validFor: TimeRange | undefined;
 }
diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto
index eeb0fb43..54e8c3ba 100644
--- a/protos/sigstore_common.proto
+++ b/protos/sigstore_common.proto
@@ -104,7 +104,7 @@ message PublicKey {
         optional bytes raw_bytes = 1;
         // Key encoding and signature algorithm to use for this key.
         PublicKeyDetails key_details = 2;
-        // Optional validity period for this key.
+        // Optional validity period for this key, *inclusive* of the endpoints.
         optional TimeRange valid_for = 3;
 }
 
@@ -187,8 +187,8 @@ message X509CertificateChain {
         repeated X509Certificate certificates = 1;
 }
 
-// The time range is half-open and does not include the end timestamp,
-// i.e [start, end).
+// The time range is closed and includes both the start and end times,
+// (i.e., [start, end]).
 // End is optional to be able to capture a period that has started but
 // has no known end.
 message TimeRange {
diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto
index 4192dd76..7330ce40 100644
--- a/protos/sigstore_trustroot.proto
+++ b/protos/sigstore_trustroot.proto
@@ -52,7 +52,10 @@ message CertificateAuthority {
         dev.sigstore.common.v1.X509CertificateChain cert_chain = 3;
         // The time the *entire* chain was valid. This is at max the
         // longest interval when *all* certificates in the chain were valid,
-        // but it MAY be shorter.
+        // but it MAY be shorter. Clients MUST check timestamps against *both*
+        // the `valid_for` time range *and* the entire certificate chain.
+        //
+        // The TimeRange should be considered valid *inclusive* of the endpoints.
         dev.sigstore.common.v1.TimeRange valid_for = 4;
 }