According to Let's Encrypt revoqued and banned


But I understand that the people behind Let’s Encrypt prefers to be on the safe side legally speaking.

Yes, but sometimes the noble goal is worth taking some risks. This enforces a dangerous precedence for LE and other CAs. CAB and EFF should put some effort to come to a favourable decision, stick to it, and if needed defend it in court.

The site could choose to not use https or use a different domain or hostname. Migration would hurt for a short while, but not be prevented.

Also the sanctions are against entities, not domains or hostnames. I understand that sanctions might affect EV (Extended Validation) where the entity is identified but the link to entity is very weak with domain validation.

The blocked identity: mentions only the domain with www. prefix.

Google seems to not be intimidated by legal threats and has a firmer stand:

Also the sanctioned url still works in all major browsers. None of them were intimidated into actively denying them service.

US-based IANA has (to my knowledge) not acted either.

LE is a relatively new player in the field and is (it seems) easily intimidated.

@anon95262142 wrote:

However I guess if ISRG becomes aware of such certificate, the law may require “ceasing and desisting” from such activity, e.g. revoking it and disabling this domain.

“ceasing and desisting” would mean not renewing existing and issuing new certificates, not actively revoking existing ones.


I agree. But in the end they are under the US jurisdiction.

That’s why I strongly advocate for the creation of CA on the same model of Let’s Encrypt but under different jurisdictions.


This may help against revocation, but may make risk of misissuance worse.


Is there any difference between revocation and misissuance?
They are both logged in CT logs and both may be “legally required” by the (US or other) government.


Revocations are not logged.


Right, perhaps revocations should be added to CT logs.


There are lots of off-the-cuff proposals for what should be logged to CT but there are no designs or standards that would actually allow this to happen. CT is specified for certificates, not revocation status or domain validation logs, or anything besides X509 certificates.

The original question has been addressed in this thread and it seems like things are veering towards new and unrelated topics. I’m going to close this thread and recommend that folks interested in pursuing other topics of discussion open a new forum topic.

Thanks all,