alt Hacker NewsLet's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.
Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
It doesn't.
Replies
Thanks for responding, and to clarify, I am confident that Let's Encrypt is shared as widely as they are able. Could you explain what that requirement does stem from?
When you say “our legal requirements” do you mean requirements LE imposes in its agreements or requires imposed on LE by governments?
> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
The agreement very plainly says otherwise:
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions
The general population of those countries are absolutely "persons" "located in" a "country or territory that is the target of comprehensive U.S. sanctions."
> communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
This tries to frame it as a comprehension issue. It's not.
The wording in your agreement is actually quite clear. I think it's reckless, if not disingenuous to frame this as "we really only mean government entities".
Apropos of anything else, it's also not how US sanctions work - they are absolutely aimed at both the populace as well as the government itself.
You issued a certificate for North Korea's email infrastructure as recently as six days ago:
https://crt.sh/?id=26878583197 (06/04/2026 smtp.star-co.net.kp) https://crt.sh/?id=20256841119 (08/11/2025 *.star.net.kp)
Star Joint Venture is the manager of the .kp TLD and one of DPRK's two email providers (the other is silibank.net.kp) [1], used as the official email for various government bodies ex. [email protected] (IP Office), [email protected] (Sci/Tech Commission), [email protected] (Ministry of Culture and Sports), [email protected] (Atomic Energy). It is also widely used by those universities and companies that engage with the outside world.
How did you determine that issuing a certificate to this domain or any .kp domain was compliant with the general ban on exporting goods and services to DPRK?