On Tuesday, November 22, 2016 at 9:16:43 PM UTC+1, [email protected] wrote: > Issuance to gov.ir and gov.sy is not allowed as these entities are sanctioned > by the U.S. government and we are a U.S.-based organization. Issuance to .mil > is not allowed due to contractual obligations that are reflected in our > Certification Practice Statement.
This is perhaps not the place to broaden the argument on Let's Encrypt's compliance polices, but to clarify this where it arises (and of course, I am neither a lawyer nor providing legal advice). Iranian General License D-1 paragraph (a)(6) authorizes "publicly available, no cost services and software to the Government of Iran." That applies where the software or service falls under a subset of the G.L. Annex, of which the eleventh item covers SSL certificates. There are limitations to this related to blocked or designated entities, but that's not only a problem related to governmental entities. So on face value, Let's Encrypt need not restrict use by .gov.ir domains if it would otherwise like to offer its services. I take it as a positive sign that the government of Iran would use Let's Encrypt as a CA, and further promote its use in a country that is especially in need of the initiative due to sanctions. Neat, unusual incident. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
