Recent events made me to look at the US goverment sanction list - as a US entity, Let's Encrypt should NOT issue to anyone on the list.
https://www.treasury.gov/ofac/downloads/sdnlist.txt
However, I see orders for domains clearly listed there (which are not new Russian peoples) and have been for long time.
Is this worrying that Let's Encrypt is ignoring or not following US Gov requirement heres?
Previously have said they MUST:
That link isn't working for me right now.
Using an alternate tool, I don't see any recently issued certs by LE for that domain.
Please show an example of a cert that you are questioning.
This is probably an oversight or different rules apply to third level domains. You can notice that they're not using Let's Encrypt certificates on their main site.
Is the filter only on the exact second level domain (certs from a Polish CA #1 #2) and not all those descending from it?
ISRG/LetsEncrypt complies with the sanctions and their staff often make reference to that list and the searchable database version.
To my knowledge, their automated systems are usually able to catch these. However, it is possible - and expected - for an organization that has over 200 Million active certificates to let some through. If you find they have issued a certificate in error, you can contact LetsEncrypt with information about the certificate and the corresponding entry on the sanctions lists. These issuance errors are because the US sanctions list targets people and companies, not domain names; ownership of domain names is usually shielded through privacy systems, but it is extremely hard to correlate public domain info to the sanctions list.
Well, maybe not in this case. The question remains as to whether subdomains and wildcards of this apex listed by @9peppe count as sanctioned. I assume staff will find this soon enough and will clarify
Here is the part from that list referred by OP (emphasis mine)
:
AL MAHDI ALUMINUM COMPANY (a.k.a. ALMAHDI ALUMINUM CO.), 1st Floor,
No. 12, Bibie Shahrbanoei Ally., West Saeb Tabrizi St., North
Sheikh Bahaei St., Molla Sadra St., Vanak Sq., Tehran, Iran; 18th
Km., Shahid Rajaee Quay Road, Bandar Abbas, Iran; Website
http://almahdi.ir; Additional Sanctions Information - Subject to
Secondary Sanctions [IRAN-EO13871].
Perhaps not, but in general it's rare for this information to be available and usable by automated systems. The entity in question could have dozens or hundreds of other domains.
My guess is that this is either an accidental oversight, or LetsEncrypt does not have to comply with the "Secondary Sanctions" leveraged against this entity (they are different than primary sanctions and a bit more limited in scope). I'm just thinking out loud on this, but since the root domain has a cert from another CA – I wouldn't be surprised if there was a bug/deficiency in the code that only matched the bare domain, and erroneously let the subdomains through.
Adding: Like everyone else, I am eager to find out from ISRG/LetsEncrypt why this happened. My comments above are to provide context why this, in itself, is nothing to be outraged about. There are many reasons to explain how and why certificates like this can be mis-issued, or legally issued. The reasons for issuance are potentially problematic, but between various factors (including: technology, scale, and data), the issuance of a certificate itself isn't worrisome - even when mis-issued.
No, the SDN is published quite clearly and in plain text by the US Gov.
If it's an accidental oversight, that's quite bad. If they are intentionally ignoring the SDN that is far worse.
It does seem we would need to hear from LE staff here.
This is a relatively shortsighted interpretation of how the SDN list works in real life applications. It is rare for website information to appear on the SDN list. Sanctions are applied against corporate and individual entities, not domains, and those entities may own hundreds of domains. The US Government does not regularly track or publish this information.
Organizations typically rely on commercial third party systems who track the sanctioned entities' business activities in real time for compliance, and do not utilize the SDN list directly. I assume ISRG does the same, as they regularly block domains merely on suspicion of being linked to entities on the SDN list. Reference the recent "Please Remove my Blacklist from my domain" as an example of a domain that was blocklisted without appearing on the SDN list itself.
Tagged lestaff to have someone address this possible mis-issue.
Edit: 1) removed tag, as they were notified. 2) Discourse automatically renders the above link with it's title, which contains an antiquated non-inclusive term. That specific term should be avoided in favor of the neutral term "blocklist", as I used in my own text.
Uhm, they currently have a cert by another US-based (UK intermediate) CA.
It is also a "Fake News" disinformation website pretending to be an actual US company, and syndicates Russian state-owned media content. If you notice on their website, the header claims "KXAN Austin" and the footer claims "Fairview Kersey, Pennsylvania". I tried contacting the actual KXAN, but did not get a response.
I contacted the staff via PM within minutes of this topic being created, so they should have a good lead time going.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
