alt Hacker NewsI would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.
The question is, will that be enough? If OFAC can demonstrate that even with such restrictions, sanctioned entities are frequently obtaining certificates, they may be forced to require account creation or something else as a means of limiting that.
They also likely would have to implement some kind of domain name screening, just like banks have to block transfers that mention "Havana" or "Tehran".
They are currently not doing anything, even ccTLD blocks. They have issued certificates for .kp domains this month and in August of last year.