[morpheuskafka]

Providing information (website, CT log, CRL) is fine, but creating a certificate on request is clearly a service. How is that different than providing a computation or LLM output in response to a prompt? Moreover, it is clearly not just the physical act of signing a CSR, but the verification of ownership that comes with it. That's just as much as service fully automated as if a human were doing it.

Now, does this serve a policy purpose? Perhaps not--US computers trust plenty of non-US CAs that could continue to serve these customers. But that's not how comprehensive sanctions are set up, they are effectively a complete embargo.

A better question is whether telecom carveouts (general licenses) in the sanctions may allow this. That is a country by country question as each one is worded differently.

[greyface-]

OFAC has authority to regulate commercial services under the Commerce Clause. Not all services are commercial in nature. There is no economic exchange inherent in running a certificate authority. If LE charged money for certificates, that would be a different matter. LE's differentiating factor from the previous era of CAs is that they are non-commercial.