alt Hacker NewsProviding information (website, CT log, CRL) is fine, but creating a certificate on request is clearly a service. How is that different than providing a computation or LLM output in response to a prompt? Moreover, it is clearly not just the physical act of signing a CSR, but the verification of ownership that comes with it. That's just as much as service fully automated as if a human were doing it.
Now, does this serve a policy purpose? Perhaps not--US computers trust plenty of non-US CAs that could continue to serve these customers. But that's not how comprehensive sanctions are set up, they are effectively a complete embargo.
A better question is whether telecom carveouts (general licenses) in the sanctions may allow this. That is a country by country question as each one is worded differently.
OFAC has authority to regulate commercial services under the Commerce Clause. Not all services are commercial in nature. There is no economic exchange inherent in running a certificate authority. If LE charged money for certificates, that would be a different matter. LE's differentiating factor from the previous era of CAs is that they are non-commercial.