Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.
That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.
Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
Star Joint Venture is the manager of the .kp TLD and one of DPRK's two email providers (the other is silibank.net.kp) [1], used as the official email for various government bodies ex. ipa817@star-co.net.kp (IP Office), kscost@star-co.net.kp (Sci/Tech Commission), ksf@star-co.net.kp (Ministry of Culture and Sports), mhs-ip@star-co.net.kp (Atomic Energy). It is also widely used by those universities and companies that engage with the outside world.
How did you determine that issuing a certificate to this domain or any .kp domain was compliant with the general ban on exporting goods and services to DPRK?
I only noticed the star net one (not sure if it’s even in use) when writing this. I noticed the Pyongyang Zoo (which shares an IP with the Architects Society—one on 443 and one on 80 lmao) first, just from flipping through their very small IP space on Shodan.
You can see them all on crt.sh, because LE has to upload them to a CT log for browsers to trust them. (That’s how most of those subdomain finder websites work too.) The email servers seem to have gotten certs from a for profit CA back in 2015, but I’m not sure if they ever used them. Most of their webspace seems to be HTTP only. (And it’s a good thing, because some of their Apache versions are potentially old enough to have Heartbleed.)
The architects website has some pretty cool PDF magazines btw. They also have several websites for their insurance company’s (perhaps some intl org needs them to have a website for listing)—that’s a core hard currency stream for them and they previously have been accused of submitting false losses.
Thanks for responding, and to clarify, I am confident that Let's Encrypt is shared as widely as they are able. Could you explain what that requirement does stem from?
According to the current administration, almost half of the US is considered a political enemy of the current administration.
Soon they might be pushing for Operating Systems to gather political party preference information, so they can know who should be restricted from the use of strong encryption. The options being:
It'll be interesting when/if they sanction Antifa. Since it doesn't exist, you can't prove that you're not a member of it. So they get to sanction anyone.
> move somewhere more willing to respect international law?
Some of these sanctions are required by international law (i.e. sanctions imposed by UNSC). For the other ones, international law generally lets countries have whatever trade policy they see fit including sanctions, unless they violate some other rule of international law or treaty obligation.
Sanctioning the ICC obviously has nothing to do with trade policy.
The USA signed the Rome Statute but never ratified it, and then withdrew its signatory status. There's an argument to be made that there was a treaty obligation there, but it's pretty weak.
I personally think sanctioning the ICC judges is a disgusting act. However ultimately all sanctions are decisions to refrain from trading with someone, so it is in a sense a trade policy. I think what you're getting at is that usa is implementing that policy to obtain a political/diplomatic goal, which is true, but you could say the same about most trade policies.
I think article 18(a) of the vienna convention of the law of treaties means that once you withdraw your signature, you no longer have any obligations in regards to the treaty.
Maybe you could make some sort of argument that the sanctions violate the purpose of the geneva convention as they are designed to prevent bringing to justice people accused of grave breaches of the geneva convention. Like its an attempt to frustrate the application of article 49 of the first geneva convention [Ianal]
I can't answer why or why not but just in terms of track record the US is fairly egregious. The executive attempts to coerce individual UN officials via sanctions. While it may not be strictly illegal it is clearly flagrantly unethical.
> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
The agreement very plainly says otherwise:
> You are not a person or entity that is: (a) located in, organized under the
laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions
The general population of those countries are absolutely "persons" "located in" a "country or territory that is the target of comprehensive U.S. sanctions."
> communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
This tries to frame it as a comprehension issue. It's not.
The wording in your agreement is actually quite clear. I think it's reckless, if not disingenuous to frame this as "we really only mean government entities".
Apropos of anything else, it's also not how US sanctions work - they are absolutely aimed at both the populace as well as the government itself.
They have "clarified" elsewhere on here that the normal citizenry get a legal exemption [waves hands mystically] somehow, and that they're only blocking people when they legally have to.
Obviously (to the rest of us) if the agreement says otherwise, then they're saying that it's LE that is forbidding the citizens of these countries, and it's not (entirely) the government's fault, which completely contradicts what they're trying to say.
We should probably be clear that this document is most likely a backside-covering exercise; it exists so that people can't sue LE for denial of service without a just cause, and so that the US can't prosecute them for intentionally shipping cryptographic services, or some such rubbish.
If you live entirely outside the US legal system, or its multifaceted tendrils, and if you don't make too much noise, you may be fine. Obviously that's a far cry from a "right to free speech" level of protection, but then LE have no obligation to provide that to people outside the US, and arguably non-rich citizens within the US lost that a long time ago.
It may be the case that "most of" their sanctions-related blocks apply only to governments (let's say there are 100 such blocks), while they still disallow usage by persons located in a country or territory that is the target of comprehensive US sanctions (let's say there are 50).
I’m actually old enough to remember how PGP code was exported as a book printout because exporting computer code for cryptography with strong keys in digital form was disallowed but a book was fine (protected by first amendment rights). The printout was scanned abroad to reconstitute the source and build pgp legally.
> pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries
This is most likely OFAC. Lets Encrypt could apply for a license to do business with sanctioned entities, and given their use case it would most likely be approved.
OFAC regulates commerce, not speech. Let's Encrypt is not doing "business", they're operating a free informational service. Lots of organizations interpret any information exchange as subject to OFAC regulation, and you and Let's Encrypt have good company in this interpretation, but I think it's unnecessarily ceding ground.
The government may use as wide of an interpretation of commerce as they can get away with. We've seen this happen before [0]. Sure, Let's Encrypt isn't taking money from the entities they offer certificates to. But the OFAC desk jockey assigned to that case only has to concoct some sufficiently plausible-sounding trail of money connecting the backing 501(c)3 and a sanctioned entity in order to levy penalties, and the legal team will not like that risk, even if it's unlikely for OFAC to win on appeal in a court.
This is true, of course, and I understand why some companies don't want to take the risk. But I would hope that Let's Encrypt would take the opposite stance. They were born out of the EFF and have EFF & ACLU board members! These orgs live for this type of legal fight.
IANAL, but it seems like the argument from Wickard v Filburn would apply to LE. They may not be taking money but they do impact the commerce of the market for certificates.
I disagree with that ruling, and I have some serious problems with sanctions against entire countries/regions, but it definitely makes sense that LE would interpret it as being impacted by OFAC.
In an alternate universe, Let’s Encrypt has a chat with someone and then states, publicly, like a speech, that they think that person owns a domain.
In our universe, Let’s Encrypt lets a client open an “account”, enters into a contract with the client (the contract is the topic of this entire post), and gives the client an API by which the client requests a certificate. Then Let’s Encrypt grants the certificate. Maybe the certificate is somehow speech. The rest sure doesn’t sound like speech to me.
Seems in all thing tech at the moment the US legal system is accelearting a great split and erectinga digital iron curtain, from AI models to the more mundane like TLS certs.
Its been standard for a while for many Linux distros based in the US to toe the party line - like RedHat having notices pretty similar to this one by LE.
Seems any meaningful Open Projects will have to choose what path they want to take, be like RISC-V and relocate or LE and others and enforce the divide.
It isn't just the US. China, Russia, the EU, and Australia and probably others are all increasingly trying to create virtual walls of various forms in the internet.
It is in the nature of nation states to assert control over national borders. That the Internet and the globalised flow of information it enables circumvents this is a historical anomaly.
Woah, I had no idea about DARPA and RISC-V. I wonder why they care about RISC-V so much? This is the best explanation that I can find:
> Open source standards provide great benefits to U.S. taxpayers in reducing the cost of advanced military system development, and also increases security by allowing the government to build their own trusted implementations at low cost.
> RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years.
So what? If I disagree with the direction any FOSS project (or its maintainers) is taking... I can just fork it. People have done that countless times in the history of FOSS, most notably in the xOffice schism.
No remotely western company will risk US sanctions violations or whatever other regulatory burden by using US technology where it can't be used. Even Chinese companies depending on how state backed they are might not be willing to risk it.
This is the big irony of the current situation: while the US is dependent on China for manufactured goods, China is dependent on the US for external demand for its manufactured goods.
One is the mirror image of the other and neither economy can exist in its current state in isolation.
So China has the US over a barrel when it comes to actually building stuff, rare earths and all of that, but equally US sanctions still have real bite (a lot more than China would like) because China does have to do a huge amount of international trade to export and externalise its surpluses.
I wore the rsa-dolphin t-shirt all over the place and nobody batted an eye back then, but a dolphin made up of ASCII characters is quite a bit less obvious than the one you linked.
OpenBSD being based in Canada ships strong crypto, but has had a sometimes troubled relationship with certain regimes.
> Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.
If complying with the law gets in the way of the mission I’m not sure that counts as a change to the mission.
Should NRA hand out guns to everyone who can’t get a permit where permits are required? Of course not. If they are against gun permits they have to fight the law, not break it.
The National Rifle Association (NRA) describes itself as America’s longest-standing civil rights organization.
That is a specific US-internal stance.
There's a list of organizations that started in the US, ultimately having had to work around the US legal system, in pursuit of their missions:
re Planned Parenthood Global, WikiLeaks, International Campaign to Ban Landmines, Center for Reproductive Rights, selected programs of the Human Rights Campaign Foundation, et al
This is why, as someone who works in security and encryption and has implemented web server TLS stacks and such, I still oppose the "always-https" idea.
TLS is awesome, one of the most valuable developments in Internet history. But, it is important to undewrstand that it is a double edged sword. Requiring a CA, which in practical terms means requiring a publicly known CA, is a choke point of freedom.
What "backdoor" would Let's Encrypt even implement? That's not how a CA works.
They might be compelled to issue a certificate to an unauthorized (by browser PKI policies, not local law) entity, but that would be very conspicuous due to Certificate Transparency.
How would they do that? The ACME protocol is "take the basic artifacts you use for certificate signing, wrap them in JSON (cryptographically, using standard JWS), then send them over using HTTP + TLS." Every part of that is something for which there exists a buttload of implementations in whatever language you care to use.
> Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force",
Things that definitely don't happen. Those same encryption standards are used by the US military, and the international cryptography community can pretty readily rule out keyed backdoors.
The thought that supercomputers could break Internet encryption by brute force is laughable. One would have to be innumerate to think such a thing.
Anonymity and encrypted communication are two very, very different things. Have one but not the other and you're essentially handing off your private data incl. passwords to whoever that has a tap on the communication between you and the server can fetch them, too. Have the other but not the one and everyone will know who you are, but they can't eavesdrop.
I've had people straight up serve me malware when you attempt to OSINT them with Tor. Sometimes you need different kinds of anonymity, and I see a lot of one sized fits all proclamations on HN.
I mean, noone is stopping someone to clone letsencrypt - it shouldn't be very hard.
Google had a similar dilemma - do they want to offer a (censored) service in China, and have a hope of keeping some marketshare, or not (and be kicked out immediately).
In this case though, it seems to be an unforced move by letsencrypt ? Or was it compelled by LEAs?
That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.