jaas
Born on May 12, 2016•5639 Karma
I don't think so. There was a dip in success rates for 90 minutes today, but nobody should be renewing their certificate within 90 minutes of expiration. If you're at that point, something went wrong weeks ago.
You obviously haven't worked with hardware guys.
"I mean, what's the point of those last 30 days if you need to renew it 30 days before expiration? Why not just renew it before it expires? If I'm required to renew it 30 days before the expiration date then the expiration date is a lie, isn't it?"
Many countries won't let you enter if your passport expires less than 6 months after your planned departure date. Basically the effective validity of a passport is 0.5 years less than the period you pay for.
How long do you think a certificate lives?
If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days, giving you 3 days for a successful renewal. A 90 minute outage, even if it was a full outage, would not interfere with a successful renewal.
It seems our status.io notes are being misinterpreted as much more severe than they were intended to reflect.
Edit: Note that this was written in response to a previous submission title implying that Let's Encrypt was entirely down most of the day.
P.S. JS injection into TCP packets and other meddling with passthrough data should be banned legally, not technically via encryption.
Edit: my bad. I’ve tried as well recently, when you’re rushing to get your new domain up of course…
Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
It doesn't.
https://crt.sh/?id=26878583197 (06/04/2026 smtp.star-co.net.kp) https://crt.sh/?id=20256841119 (08/11/2025 *.star.net.kp)
Star Joint Venture is the manager of the .kp TLD and one of DPRK's two email providers (the other is silibank.net.kp) [1], used as the official email for various government bodies ex. ipa817@star-co.net.kp (IP Office), kscost@star-co.net.kp (Sci/Tech Commission), ksf@star-co.net.kp (Ministry of Culture and Sports), mhs-ip@star-co.net.kp (Atomic Energy). It is also widely used by those universities and companies that engage with the outside world.
How did you determine that issuing a certificate to this domain or any .kp domain was compliant with the general ban on exporting goods and services to DPRK?
You can see them all on crt.sh, because LE has to upload them to a CT log for browsers to trust them. (That’s how most of those subdomain finder websites work too.) The email servers seem to have gotten certs from a for profit CA back in 2015, but I’m not sure if they ever used them. Most of their webspace seems to be HTTP only. (And it’s a good thing, because some of their Apache versions are potentially old enough to have Heartbleed.)
The architects website has some pretty cool PDF magazines btw. They also have several websites for their insurance company’s (perhaps some intl org needs them to have a website for listing)—that’s a core hard currency stream for them and they previously have been accused of submitting false losses.
http://www.koreanarchitecture.gov.kp/index.php?kt=TWFnYXppbm...
The agreement very plainly says otherwise:
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions
The general population of those countries are absolutely "persons" "located in" a "country or territory that is the target of comprehensive U.S. sanctions."
> communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
This tries to frame it as a comprehension issue. It's not.
The wording in your agreement is actually quite clear. I think it's reckless, if not disingenuous to frame this as "we really only mean government entities".
Apropos of anything else, it's also not how US sanctions work - they are absolutely aimed at both the populace as well as the government itself.
Obviously (to the rest of us) if the agreement says otherwise, then they're saying that it's LE that is forbidding the citizens of these countries, and it's not (entirely) the government's fault, which completely contradicts what they're trying to say.
We should probably be clear that this document is most likely a backside-covering exercise; it exists so that people can't sue LE for denial of service without a just cause, and so that the US can't prosecute them for intentionally shipping cryptographic services, or some such rubbish.
If you live entirely outside the US legal system, or its multifaceted tendrils, and if you don't make too much noise, you may be fine. Obviously that's a far cry from a "right to free speech" level of protection, but then LE have no obligation to provide that to people outside the US, and arguably non-rich citizens within the US lost that a long time ago.
This is not something that you apply for; a general license already applies to everyone. The legalese or restrictions companies use exist because they cannot (or will not) validate everyone is who they say they are. This obviously doesn't apply to companies who deal with controlled exports, where they are responsible for whoever ultimately receives the controlled export.
I am not a lawyer and this is not legal advice.
https://ofac.treasury.gov/selected-general-licenses-issued-o...
Generally the software carveouts are very limited - it's not just "providing IT services or technology to individuals for personal use", i.e. Sudan:
> software updates for medical devices to Sudan
Indeed, of the software carveouts listed on that page, only two are not related to the operation or update of medical devices:
- provision of Internet services to the people of the Ukraine (read: "Starlink")
- provision of messaging services to members of the Government of Venezuela.
Wouldn't the more rational response to this legal situation be to leave the USA and move somewhere more willing to respect international law?
[0] https://www.whitehouse.gov/presidential-actions/2025/02/impo...
Soon they might be pushing for Operating Systems to gather political party preference information, so they can know who should be restricted from the use of strong encryption. The options being:
1. I love america
2. Radical left looney
3. Neither male nor female.
4. Those that tremble as if they were mad[0]
[0]: https://thewhippet.org/the-whippet-134-those-that-tremble/#c...
Some of these sanctions are required by international law (i.e. sanctions imposed by UNSC). For the other ones, international law generally lets countries have whatever trade policy they see fit including sanctions, unless they violate some other rule of international law or treaty obligation.
The USA signed the Rome Statute but never ratified it, and then withdrew its signatory status. There's an argument to be made that there was a treaty obligation there, but it's pretty weak.
I think article 18(a) of the vienna convention of the law of treaties means that once you withdraw your signature, you no longer have any obligations in regards to the treaty.
Maybe you could make some sort of argument that the sanctions violate the purpose of the geneva convention as they are designed to prevent bringing to justice people accused of grave breaches of the geneva convention. Like its an attempt to frustrate the application of article 49 of the first geneva convention [Ianal]
> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
It doesn't work that way.
Blocking governments from getting certs doesn't hurt them in the slightest. The government can just create their own pki.
But it hurts the general population instead. People do not live in vacuum, they still need to access government sites. And thus people are forced to install root certificates of questionable trust.
When Let's Encrypt blocks government entities, it instead puts respective vulnerable population in even less secure environment.
Although, given the current events, I am not sure Let's Encrypt continues to deserve the trust it had.
The terms of service update to clarify what we have always done, comply with relevant law, has not changed the situation for either country.
According to https://news.ycombinator.com/item?id=48457280 it affects all people ordinarily resident in those territories, not just their governments:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;
> [other 'or' conditions]
Let's Encrypt can issue certificates for non-government entities in Iran and Russia due to statutory exemptions protecting personal communications, alongside specific Office of Foreign Assets Control (OFAC) authorizations designed to promote Internet freedom and human rights.
We will look into whether we can make things more easily understandable in the subscriber agreement.
Seems to be pretty clear that it would include non-government entities in sanctioned countries.
"You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; "
this says nothing (edit: specific) about government (edit: only), and is applicable to normal people in those areas.
Still needs updating if it's supposed to only apply to governments, though.
I don't think the premise behind short lived (six day) certificates being viable is that CA issuance never goes down. Sure, the runway is shorter, but not that short. Most down time is a few hours or less, which is not a problem for six day certificates that should be renewed every three days.
Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.
Are they going to be optional forever, or do you plan to eventually get rid of the longer lifetime options?
Update: Issuance is back up.
Update: Preliminary incident report:
Uh. I don't know if I like the sound of that...
it is almost always closer to the spelling mistake side than it is the key compromise side of the spectrum.
a peak at https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Progra... will show that most compliance issues, to the general public, are quite mundane.
NB: "legal compliance" is another term. So is "{legal,lawful} enforcement"
1. Press "heat controls" space on tablet. This "expands" the controls, showing steering wheel heat, seat heat, seat ventilation.
2. Press "seat heat" once to be on High (and more presses to get to Medium, Low or back to Off)
Wish it was a button. Buttons are much better for this sort of thing.
In this video, the Volvo controls are identical to Polestar, and, again, require at least two presses: https://www.youtube.com/watch?v=D29Nm-fwsHQ
While it's great to have a choice to do so, I personally detest voice controls (which require a button press, and a memorized phrase.)
I would still like to have a button-only option, of course.
I had to set up a dedicated Nanit-only AP in my house in order to stabilize the connection. It would not work any other way, tried many different configurations, even other APs.