[greyface-]

OFAC regulates commerce, not speech. Let's Encrypt is not doing "business", they're operating a free informational service. Lots of organizations interpret any information exchange as subject to OFAC regulation, and you and Let's Encrypt have good company in this interpretation, but I think it's unnecessarily ceding ground.

[10000truths]

The government may use as wide of an interpretation of commerce as they can get away with. We've seen this happen before [0]. Sure, Let's Encrypt isn't taking money from the entities they offer certificates to. But the OFAC desk jockey assigned to that case only has to concoct some sufficiently plausible-sounding trail of money connecting the backing 501(c)3 and a sanctioned entity in order to levy penalties, and the legal team will not like that risk, even if it's unlikely for OFAC to win on appeal in a court.

[0]: https://en.wikipedia.org/wiki/Wickard_v._Filburn

[greyface-]

This is true, of course, and I understand why some companies don't want to take the risk. But I would hope that Let's Encrypt would take the opposite stance. They were born out of the EFF and have EFF & ACLU board members! These orgs live for this type of legal fight.

[thayne]

IANAL, but it seems like the argument from Wickard v Filburn would apply to LE. They may not be taking money but they do impact the commerce of the market for certificates.

I disagree with that ruling, and I have some serious problems with sanctions against entire countries/regions, but it definitely makes sense that LE would interpret it as being impacted by OFAC.

[morpheuskafka]

Providing information (website, CT log, CRL) is fine, but creating a certificate on request is clearly a service. How is that different than providing a computation or LLM output in response to a prompt? Moreover, it is clearly not just the physical act of signing a CSR, but the verification of ownership that comes with it. That's just as much as service fully automated as if a human were doing it.

Now, does this serve a policy purpose? Perhaps not--US computers trust plenty of non-US CAs that could continue to serve these customers. But that's not how comprehensive sanctions are set up, they are effectively a complete embargo.

A better question is whether telecom carveouts (general licenses) in the sanctions may allow this. That is a country by country question as each one is worded differently.

[greyface-]

OFAC has authority to regulate commercial services under the Commerce Clause. Not all services are commercial in nature. There is no economic exchange inherent in running a certificate authority. If LE charged money for certificates, that would be a different matter. LE's differentiating factor from the previous era of CAs is that they are non-commercial.

[throwaway2037]

GitHub was recently granted a license from OFAC to allow there services to be used from Iran. You can read about it here: https://github.com/github/site-policy/blob/main/Policies/oth...

And here: https://github.blog/news-insights/policy-news-and-insights/a...

[amluto]

IANAL, but this seems wrong.

In an alternate universe, Let’s Encrypt has a chat with someone and then states, publicly, like a speech, that they think that person owns a domain.

In our universe, Let’s Encrypt lets a client open an “account”, enters into a contract with the client (the contract is the topic of this entire post), and gives the client an API by which the client requests a certificate. Then Let’s Encrypt grants the certificate. Maybe the certificate is somehow speech. The rest sure doesn’t sound like speech to me.

[tbrownaw]

Wasn't there news a bit ago about some people being suddenly excluded from Linux kernel development for presumably similar reasons?