The lastest ISRG Legal Transparency Reports (https://letsencrypt.org/repository/#isrg-legal-transparency-reports) shows for the first time non-zero numbers:
Reporting period: July 2017 - December 2017
Type Number Users Affected … 0 0 Subpoenas (grand jury) 2 6 … 0 0
Could ISRG details these ?
- Did ISRG tried to fight these requests?
- Did ISRG complied fully or partially?
- Were these two subpoenas about the same case?
- Could these subpoenas be published (Fully or partially redacted)?
- Does it impact certificate owner?
- Does it impact visitors of Let’s Encrypt website (letsencrypt.org and others)?
- Does it impact visitors of websites using a Let’s Encrypt certificate (ex. IPs Asking for OCSP)?
- Was it a request for data? If so, what kind of data? Did ISRG had it? Did ISRG gave it?
- Was it a request for action (ex. forced revocation, forced certificate issuance)? Did ISRG did it?
- Were the affected users notified? If so, before or after the fact? How long before or after?
- Were the affected users US citizen? Located (themselves, their servers or their domains) in the US?
- Are you aware of any of your subcontractor (Discourse, Akamai, GitHub, PayPal, donorbox, …) receiving similar request about your users?
- Could more detailed be shared in the future (about this case or about others)?
- Any other details?
After these requests:
- Did ISRG updated it’s procedure (how to handle these requests)?
- Retrospectively, did IRSG staff think they could/should have handle it better/differently?
- Could ISRG Legal Transparency Reports includes more details where there is non-zero numbers and no gag order? (sorry to ask that only 15 days before the next one…)
Ping @lestaff as they are the only ones that can answer most of these question!