Related to this discovery https://community.letsencrypt.org/t/blocklist-incident-november-21-2016/ have the ISRG staff/CEO/law personnel, etc. considered of expanding to other countries too, so that they are not affected by some sanctions?
Apologies for the delayed answer. I didn’t see this until now. It’s an interesting question and the answer is complicated, I’ll try to explain our thinking on this as best I can.
Right now there are very few situations in which we would want to issue but U.S. sanctions would prevent us from issuing. That being the case, reducing our exposure to sanctions requirements is not a particularly high priority. At this point it’s certainly not something which, at least on its own, would merit the expense and effort required to “expand” to another country.
We do keep an eye on the evolution of sanctions requirements, and have discussed the pros and cons of various options. Right now we have no plans to “expand” our operations outside of the United States.
I keep putting the word “expand” in quotes because what expanding would realistically look like if we ever did do it is very unclear. It would depend on a lot of factors like: funding, which country we’re talking about, and why we’re doing it. For example - expanding might mean the U.S.-based non-profit ISRG simply locating some servers/operations in another country, but it could also mean starting a separate non-profit entity in another country, with its own (possibly very similar) operations and governance. I don’t want to get too speculative – like I said, this isn’t something we’re planning to do right now so what might make sense is very hard to say.
As a CA is Let’s Encrypt affected in anyway by strong encryption export laws in the US?
From what I understand the ACME protocol is essentially a US invention?
Are you required for example to not issue EC certificates to countries where strong encryption is not allowed to be exported?
I only ask because we used to run in to a lot of trouble with firewalls and VPN related technologies in previous roles so wondering how this affects a CA.
I am not aware of Let’s Encrypt having had to make any decisions based on U.S. law limiting use of, or export of, cryptography. I would say it’s a non-issue for us right now. I hope that continues to be the case.