How will US/EU sanctions on Russia restrict certificate issuance?

9peppe · February 27, 2022, 10:15pm

I see there's something here about what happens in "ordinary times" and I see it's somewhat close to the DoC entity list: Certificates for US sanctioned countries - #4 by josh

But right now the situation is precipitating really fast, with aircraft leasing companies pulling out of Russia, for example.

And the DoC itself publishing a new document on Russia specifically in which (§5) there is an exception for

ENC (Encryption Commodities, Software, and Technology), for encryption items, but not if they are destined for Russian ‘government end users’ and Russian state-owned enterprises; and

CCD (Consumer Communication Devices), for consumer communication devices, but not if they are destined for government end users or certain individuals associated with the government.

Does any of that apply to TLS certificates and/or impact Let's Encrypt?

9peppe · February 28, 2022, 2:51pm

The other thread is giving me ideas.

jvanasco · February 28, 2022, 3:35pm

Sanctions in situations like this typically apply only to government owned or operated entities; citizens and private individuals are usually exempt -- unless they (or a controlling owner/operator) are specifically identified in a set of sanctions or are listed in the US "Specially Designated Nationals And Blocked Persons List".

In the past, ISRG/LetsEncrypt have blocked certificates for domains connected to sanctioned governments and specially designated individuals, but still allowed independent citizens of those countries and owners of CC TLD domains to procure certificates.

I think we can expect ISRG to begin blocking issuance to that limited subset of applicable entities/domains - if they haven't already.

However, the blockage would assume those entities/domains utilize LetsEncrypt Certificates to start. Perhaps some of the individually sanctioned oligarchs own companies that utilize LetsEncrypt certificates, but SSL/TLS in Russia is pretty complicated. Putin and the KGB have been exploring making SSL Certificates illegal, or requiring only certs from a state run CA for a few years (I'm not sure on the status of that now, but they were publicly looking to join the CA/B forum and root programs a few years ago). I've read in the past that a lot of public SSL stuff in Russia is based on side-loaded roots, because the promoted/preferred CAs are not pre-loaded into trust roots.

TLDR; ISRG will have to limit, but the actual impact will be minimal if anything.

9peppe · February 28, 2022, 3:44pm

It looks like they do use LE certificates, even if the impact will be mostly on "foreign-facing" websites.

Like these (3) unsuccessful attempts by Kazakhstan, you mean?

jvanasco · February 28, 2022, 4:11pm

Here's one from a few years ago. If you dig deep into the subject, you'll learn there are lots of weird untrusted CAs in Russia with close government ties: The Kremlin reportedly wants to create a state-operated center for issuing SSL certificates — Meduza

gosh_x · March 3, 2022, 3:01pm

We should spread freedom and security to the people! Please, stop promoting discrimination and politics in the communities committed for long time to liberty.

system · April 2, 2022, 3:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.