What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?
Has letsencrypt been served with a subpoena?
While it's certainly possible that ISRG has been served a subpoena because it appears the US DOJ is now a mix of hacks and incompetent buffoons, it wouldn't matter because the whole point is that they don't know anything - what you told them is literally logged publicly for everybody to see without even knowing how to spell "subpoena" let alone issue one.
Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena - but the whole fucking point of a Public Key Infrastructure is that we're using Public Key Encryption, if we were OK with everybody having secrets all over the place this entire thing wouldn't be needed.
Looking at LavaBit^1 I really would not be so comfortable. The world and especially the US has not gotten more free since then.
So to be effective this means a hypothetical bad actor (maybe the US government or anybody else) issues bogus certificates, then either logs them - making a permanent record for everybody to see, or also subverts two or more logs, so that they issue bogus proofs.
This is a very expensive one shot attack on whatever the target would be, I guess it's not stupider than "Let's bomb Iran for no good reason" but it's up there.
LetsEncrypt certainly doesn't, but I've seen certificate storefronts that generate the key on their side and provide you the key and the certificate, so you don't have to figure out how to generate a key.
But yes, you're correct that, especially when "cheap SSL" was a thing, outfits which did this really existed. In fact one of the companies which did this, and then deliberately revealed customer keys, resulting in all the affected certificates being revoked, isn't even bankrupt so apparently their customers are so stupid than they're still paying money for a service that's much worse than useless. Not an optimistic thought about humanity.
https://www.france24.com/en/americas/20250820-us-hits-icc-wi...
https://community.letsencrypt.org/t/why-issue-certificate-fo...
Europe starts to shield itself from the risk since Nicolas Guillou, the French ICC judge who issued a warrant against bibi got sanctioned (France officially protested about this case)
China is being successful at blocking US firms out of their supply chains (they already use Linux on Loongarch processors with some homemade architecture and pioneer RISC V), since a bunch of their companies also got sanctions for supplying the governement
US stands so much for freedom that it's the first country to refuse immigration to FIFA world cup teams and athletes, with Iranians not allowed to stay between games and Somali goalkeeper being turned away at the border. Germany itself didn't do for the 1936 Olympics.
So at best, they're only shooting themselves in the foot by showing any US component in a supply chain is a risk, while using US clouds were already a risk of loss of revenue from FISA requests to undercut your bid and rot your company and using US dollars for trade was already a liability
In the meantime, US companies can do anything, break any financial law and abuse every human right, they'll just sign DPAs to avoid prosecution
The EU could easily bootstrap a Let's Encrypt competitor if it truly cared about removing dependencies on US based entities.
Cross-signed roots are common. Just takes money and maybe audits, but it's the same audit they'd need to get in the browser root stores anyway.
> 2. officially or formally ratified or confirmed.
> 3. penalized, especially by way of discipline or to force compliance with legal obligations.
So who can use lets encrypt? Those that are penalised or those that are confirmed.
> [You certify to LetsEncrypt that] …
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
But can we still trust them?
I am not well versed in how their systemwide certificate issuance works: If they have to add this to their terms to comply with their government, could the same government use pressure to leverage let’s encrypt to do harm.
Especially since sanctions are transitive. Mozilla and Google, being US companies, are actually not allowed to trust any entity whose purpose is to work around sanctions. Their members could go to jail for that.
