OpenSAML user discussion

BrowserProfile.receive (and deprecated SAMLPOSTProfile.process) seems to base 
expiration against the IssueInstant, for example:

//Check security bits in the outer wrapper (Recipient and IssueInstant)
...
if (response->getIssueInstant()->getEpoch() < now-(2*config.clock_skew_secs))
     throw ExpiredAssertionException("detected expired POST profile 
response");

(BrowserProfile.receive then subsequently checks the NotBefore and 
NotOnOrAfter conditions)

Not knowing any better, I'd assumed that the "conditions" could be 
iteratively validated in a generalized manner (such as with TSIK's 
validateConditions) and that an arbitrary NotOnOrAfter could be set, but it 
seems that the bounding condition is config.clock_skew_secs rather than 
NotOnOrAfter -- what is the reasoning behind basing expiration on 
IssueInstant rather than simply NotOnOrAfter?