To note, General License D-1 Annex 11 provides authorization for export of SSL Certificate services to Iran, and GL D-1 §6, entitled “Publicly available, no cost services and software to the Government of Iran,” authorizes such items to Iranian government entities provided it is offered at no cost . Sudan and Cuba are similar covered by License Exception ‘Consumer Communications Devices’ (EAR §740.19) . Under the CCD, Cuban government and Communist party officials are not eligible end users, however, §§©(1)(iii) does permit not-for-cost information security software to be exported to Sudanese government entities. Crimea (absent from your list, but still broadly sanctioned) and Syria have older authorizations for personal communications services over the Internet offered at no cost (and I believe to non-governmental users), which would likely exempt the CA services, however, no such provisions exist for North Korea – so I would encourage Let’s Encrypt to exercise caution with regard to DPRK entities.
Neither GL D-1 nor the CCD permit exports to SDN entities, but that’s a fact of life that Let’s Encrypt would have to deal with more broadly than sanctioned countries, e.g. under the Russian sanctions program.
I am elated that Let’s Encrypt will play a role in providing certificates to individuals living under sanctions, as users are constantly subject to terminated SSL services for questionable reasons. If any further needs arise in providing services to such individuals, please be in touch.