[idoubtit]

Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?

Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.

Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:

> You are not a person or entity that is:

> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;

> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;

> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).

> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.

[cassianoleal]

They could, but if the branch didn’t follow these laws, the main US branch would still be liable.

[cromka]

It's about time SOME entities start moving from US entirely.

[mikeyouse]

RISC-V Foundation did.. though they go out of their way to talk about it in terms that try not to piss anyone off..

> "Across 2018-2019, the RISC-V community has reflected on the geo-political landscape and we have heard concerns from around the world that investment in RISC-V must come with IP access continuity to ensure a long-term strategic investment. We first mentioned our intentions to move at the December 2018 summit. Incorporation in Switzerland has the effect of calming concerns of political disruption to the open collaboration model. RISC-V International does not maintain any commercial interest in products or services as a non-profit, membership organization. There have not been any export restrictions on RISC-V in the US and we have complied with all US laws. The move does not circumvent any existing restrictions, but rather alleviates uncertainty going forward.

> In March 2020, the RISC-V International Association was incorporated in Switzerland. Along with this, we shifted to a new, more inclusive membership structure. Members of RISC-V International have access to and participate in the development of the RISC-V ISA specification and extensions as well as related hardware and software. RISC-V has a Board of Directors composed of member representatives as well as a Technical Committee of work group leaders."

> RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years.

> The IP contributed and produced by RISC-V International is held under industry and global standard licenses that are already open to leverage by any company regardless of jurisdiction. This licensing is a common open source approach to foster collaboration that is not tied to any geographic regulation. IP in the public domain has not been subject to export control.

https://riscv.org/about/

[pclmulqdq]

The RISC-V foundation and related companies also got a bunch of money from Europe. I am not so sure this was about leaving a repressive regime as much as chasing the European "homegrown computing" money.

[Tangurena2]

This is part of why the EU is looking to move away from US-based infrastructure. The CLOUD Act basically lets Washington have an off-switch on your computing infrastructure as well as giving Washington unlimited access to any data on your computers (or that passes through them).

[rafram]

Other countries sanction each other too.

[marcosdumay]

They mostly don't.

Or rather, when other countries say "sanctions", they are almost always talking about something completely different than the United States.

[cassianoleal]

This is not about countries sanctioning each other. This is the US sanctioning a local company because a foreign company doesn’t follow certain US laws in foreign soil, where such laws don’t apply.

It’s a bit like the US arresting your mom at home in Texas because you ate a baggie of magic truffles in Amsterdam.

[rafram]

You're being very vague. Please explain what you mean? I don't see anything here about the US "sanctioning a local company," and I'm not aware of that being possible under US law.

[cassianoleal]

Please see my answer to the sibling comment.

[cromka]

"Clarifying Lawful Overseas Use of Data (CLOUD) Act."

[kube-system]

The way you are using these words seems to indicate you might be confused about how this works.

The US has not "sanctioned" LetsEncrypt or ISRG. The US sanctions foreign entities as punishment for various reasons precisely because they are not subject to US law. That's the entire point of leveraging a sanction -- to pressure those outside of your legal jurisdiction. If they were in your jurisdiction, you'd simply arrest them.

People and organizations basically anywhere not permitted to do business with anyone your country has sanctioned. Anyone who does business internationally should be aware of their country's sanctioned list. That applies no matter where you live on the planet.

[cassianoleal]

This is not that though.

This is literally about a company that has a branch in the USA and another branch in another country, where it's bound by that country's laws. If the foreign entity which just so happens to be commercially linked to the one in the USA has any dealings with countries sanctioned by the US, the US branch is punished.

There was a case a few years ago where a public University in Brazil bought lab computers from Dell Brasil. Dell Brasil is a subsidiary of Dell, but it's 100% incorporated in Brazil, the computers were manufactured in Brazil, everything following Brazilian law. The computers were delivered with terms of service that prohibited them from being used for any dealings with US-sanctioned countries such as Iran and Cuba. The University was caught by surprise and questioned it, since they had many academic links with Cuban Universities, and Dell Brasil explained that.

I don't know how the whole ordeal ended. The Brazilian Federal Government got involved, I believe the Ministry of Exterior and the Ministry of Commerce and Industry both got involved and were at one point going to sue Dell Brasil. I suspect it ended with the University returning the computers and purchasing from another supplier.

The suggestion that Let's Encrypt could work around US sanctions by opening a branch in the EU falls under similar conditions, and the US branch would be liable if the EU subsidiary had dealings with US-sanctioned countries.

[drstewart]

Ah, so it would be like the EU fining a US based company for not following certain GDPR laws even if they don't have a presence in the EU? Definitely would never happen!

[skissane]

It depends on the legal structure.

If they set up a subsidiary in Europe, they could be held liable for actions of European subsidiary.

If an independent org is stood up in Europe, with European directors, staff and funding, legally independent of US org, and the US org just provides advice/assistance to Europe org without ability to control it-legal liability for US org for Europe org’s decisions is less likely. Of course, ask a lawyer-but if you openly say “we are doing this to work around US sanctions” you could still be liable; if you say “this has nothing to do with sanctions this is about resilience of global digital infrastructure and European digital sovereignty” then under what legal theory is the US org liable?

[trumpdong]

What if the branch in Iran was the main branch?

[mfuzzey]

Just close down completely in the US and move to the EU

[kube-system]

And then what? Be subject to similar sanctions from a different governing body?

e.g. https://www.consilium.europa.eu/en/policies/sanctions-agains...

[nozzlegear]

So simple, just uproot your lives and move to a different continent 4heads!

[drstewart]

Why, so they can be forced to enforce content restrictions on any provider that wants an SSL restriction?

[throw-the-towel]

It shouldn't be located in Europe (because, as you said, US minions are no better than the US itself). Instead it should move to a neutral country, somewhere like Singapore or Uruguay.

[hparadiz]

Suddenly the idea of having a CA hosted in space on a satellite issuing certs seems like a good idea.

[eqvinox]

You're assuming that satellites are exterritorial. They aren't, they're ab initio the launching state's property and responsibility, barring other agreements to transfer them - and getting one out into a "legal void" isn't going to be trivial.

[hparadiz]

Over the centuries I am sure there will be random satellites that are defunct that will be hacked or otherwise "taken over" by someone with the right skills. These things are tiny compared to the distances involved and in the future you might end up using them as data reservoirs since in many cases it will be cost prohibitive for any authority to go collect or otherwise stake authority over an old piece of hardware considered junked.

[eqvinox]

In a hundred years, sure. Current satellites have neither storage nor compute capabilities of note.

That said, they don't have to grab the satellite. They have to grab you. Computer vandalism/sabotage/... laws in a lot of legal systems already apply to the controlling people in their home location regardless of the physical location/origin of the computer activity. Your controlling the computer/satellite/botnet/... is the illegal act, not the network packets leaving those systems.

They'll have to identify you first though, which might give some legal shielding.

[vova_hn2]

A ship in international waters with satellite internet connection would be much cheaper, except it runs into the same problems as described by the sibling comment: https://news.ycombinator.com/item?id=48469397

[hparadiz]

You don't get 1,361 W/m² of continuous free energy when you're Earth bound and all those pesky water molecules.

[vova_hn2]

> free energy

It is free only if you ignore the cost of getting the thing into the orbit in the first place.

Edit: also, AFAIK, normal microchips (without special radiation hardening) don't last that long in space

[nozzlegear]

Also, pirates

[throw-the-towel]

New startup idea: Starlink for TLS.

[PunchyHamster]

completely independent entity would be far better option. Protocol is open after all, just need pointing to different vendor

[belorn]

Let's encrypt is not some code or even a company that you can split into different branches. Their existence is one based on trust relations that let's encrypt has with browsers and operative systems. It is in one part similar to both domain names and IP address space, in that the technical aspects of creating alternative roots is almost trivial in comparison to getting the trust that is required for an alternative root to be accepted by the rest of the world.

Let say someone created an Russian Let's Encrypt. It has all the technical aspects as regular LE in that you can request a certificate and get one through an acme challenge. That is all great and all, but no browser will recognize it as valid. No operative system will recognize it as valid. The Russian state might add the new LE as valid for government computers, but the real work would be to get any other participants in the world to do the same. The issue is not a technical one but rather a social one that is built on trust.

When Russia invaded Ukraine there was a major discussion if IANA/ICANN should have disconnected Russia from domain names and IP addresses. That discussion ended on a decision to not do that because the symbolic benefit was deemed minor compared to the harm to the system in large, especially once the war end. If you got two roots, then a domain name or IP address can now suddenly have two locations, and it would be a massive pain to try fix it even if people wanted to fix it. Certificate Authorities do not share this trait since there can be an almost unlimited number of roots and none of them can conflict with each other (assuming no hash collision). If Russia spins up a new CA then people can use that one today if they want to, and they can continue to do so after the war has ended.

[orthoxerox]

Russia already has its own root CA, the issue is that state-owned root CAs are by definition not safe from MITM attacks by the same government.

[diimdeep]

It is a lunacy, complete delusion to think that privately owned (by oligarchy) root CA that trusted by every web browser and OS on the planet is somehow superiorly safer from the point of state actor attack than those explicitly state owned root CA. You must be livin in fairyland.

[everfrustrated]

There are other non-US equivalents to Lets Encrypt.