Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.
Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
It doesn't.
You issued a certificate for North Korea's email infrastructure as recently as six days ago:
https://crt.sh/?id=26878583197 (06/04/2026 smtp.star-co.net.kp) https://crt.sh/?id=20256841119 (08/11/2025 *.star.net.kp)
Star Joint Venture is the manager of the .kp TLD and one of DPRK's two email providers (the other is silibank.net.kp) [1], used as the official email for various government bodies ex. ipa817@star-co.net.kp (IP Office), kscost@star-co.net.kp (Sci/Tech Commission), ksf@star-co.net.kp (Ministry of Culture and Sports), mhs-ip@star-co.net.kp (Atomic Energy). It is also widely used by those universities and companies that engage with the outside world.
How did you determine that issuing a certificate to this domain or any .kp domain was compliant with the general ban on exporting goods and services to DPRK?
Thanks for responding, and to clarify, I am confident that Let's Encrypt is shared as widely as they are able. Could you explain what that requirement does stem from?
When you say “our legal requirements” do you mean requirements LE imposes in its agreements or requires imposed on LE by governments?
I was referring to the requirements imposed on us. When it comes to sanctions, we do not block anything more than what is required by law.
The current US government sanctions political enemies [0].
Wouldn't the more rational response to this legal situation be to leave the USA and move somewhere more willing to respect international law?
[0] https://www.whitehouse.gov/presidential-actions/2025/02/impo...
According to the current administration, almost half of the US is considered a political enemy of the current administration.
Soon they might be pushing for Operating Systems to gather political party preference information, so they can know who should be restricted from the use of strong encryption. The options being:
1. I love america
2. Radical left looney
3. Neither male nor female.
4. Those that tremble as if they were mad[0]
[0]: https://thewhippet.org/the-whippet-134-those-that-tremble/#c...
It'll be interesting when/if they sanction Antifa. Since it doesn't exist, you can't prove that you're not a member of it. So they get to sanction anyone.
Proof has no relevance if you are prevented from accessing the legal system (e.g. thrown into a concentration camp for immigrants)
> move somewhere more willing to respect international law?
Some of these sanctions are required by international law (i.e. sanctions imposed by UNSC). For the other ones, international law generally lets countries have whatever trade policy they see fit including sanctions, unless they violate some other rule of international law or treaty obligation.
Sanctioning the ICC obviously has nothing to do with trade policy.
The USA signed the Rome Statute but never ratified it, and then withdrew its signatory status. There's an argument to be made that there was a treaty obligation there, but it's pretty weak.
I personally think sanctioning the ICC judges is a disgusting act. However ultimately all sanctions are decisions to refrain from trading with someone, so it is in a sense a trade policy. I think what you're getting at is that usa is implementing that policy to obtain a political/diplomatic goal, which is true, but you could say the same about most trade policies.
I think article 18(a) of the vienna convention of the law of treaties means that once you withdraw your signature, you no longer have any obligations in regards to the treaty.
Maybe you could make some sort of argument that the sanctions violate the purpose of the geneva convention as they are designed to prevent bringing to justice people accused of grave breaches of the geneva convention. Like its an attempt to frustrate the application of article 49 of the first geneva convention [Ianal]
Why would other countries be less likely to impose sanctions on their political enemies?
I can't answer why or why not but just in terms of track record the US is fairly egregious. The executive attempts to coerce individual UN officials via sanctions. While it may not be strictly illegal it is clearly flagrantly unethical.
By whose law? Thailand? China? Germany? Afghanistan?
> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
The agreement very plainly says otherwise:
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions
The general population of those countries are absolutely "persons" "located in" a "country or territory that is the target of comprehensive U.S. sanctions."
> communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
This tries to frame it as a comprehension issue. It's not.
The wording in your agreement is actually quite clear. I think it's reckless, if not disingenuous to frame this as "we really only mean government entities".
Apropos of anything else, it's also not how US sanctions work - they are absolutely aimed at both the populace as well as the government itself.
They have "clarified" elsewhere on here that the normal citizenry get a legal exemption [waves hands mystically] somehow, and that they're only blocking people when they legally have to.
Obviously (to the rest of us) if the agreement says otherwise, then they're saying that it's LE that is forbidding the citizens of these countries, and it's not (entirely) the government's fault, which completely contradicts what they're trying to say.
We should probably be clear that this document is most likely a backside-covering exercise; it exists so that people can't sue LE for denial of service without a just cause, and so that the US can't prosecute them for intentionally shipping cryptographic services, or some such rubbish.
If you live entirely outside the US legal system, or its multifaceted tendrils, and if you don't make too much noise, you may be fine. Obviously that's a far cry from a "right to free speech" level of protection, but then LE have no obligation to provide that to people outside the US, and arguably non-rich citizens within the US lost that a long time ago.
It may be the case that "most of" their sanctions-related blocks apply only to governments (let's say there are 100 such blocks), while they still disallow usage by persons located in a country or territory that is the target of comprehensive US sanctions (let's say there are 50).
I assumed that they meant that they will not enforce it via technical means.
Came here to quote exactly that paragraph.