But I understand that the people behind Let’s Encrypt prefers to be on the safe side legally speaking.
Yes, but sometimes the noble goal is worth taking some risks. This enforces a dangerous precedence for LE and other CAs. CAB and EFF should put some effort to come to a favourable decision, stick to it, and if needed defend it in court.
The site could choose to not use https or use a different domain or hostname. Migration would hurt for a short while, but not be prevented.
Also the sanctions are against entities, not domains or hostnames. I understand that sanctions might affect EV (Extended Validation) where the entity is identified but the link to entity is very weak with domain validation.
The blocked identity: https://sanctionssearch.ofac.treas.gov/Details.aspx?id=7377 mentions only the domain with www. prefix.
Google seems to not be intimidated by legal threats and has a firmer stand:
- listing them in search results: https://www.google.com/search?q=Californians+Yellow+Vests+Inauguration+Gavin+Newsom
- offering them the Google Fonts API service
- not blocking it in Chrome
- not blocking it in https://safebrowsing.google.com/
Also the sanctioned url still works in all major browsers. None of them were intimidated into actively denying them service.
US-based IANA has (to my knowledge) not acted either.
LE is a relatively new player in the field and is (it seems) easily intimidated.
However I guess if ISRG becomes aware of such certificate, the law may require “ceasing and desisting” from such activity, e.g. revoking it and disabling this domain.
“ceasing and desisting” would mean not renewing existing and issuing new certificates, not actively revoking existing ones.