Thanks Matthew, you make some excellent points. I will note that section 3.1.6 of Let's Encrypt's CPS states "While ISRG will comply with U.S. law and associated legal orders,...". I am not a Lawyer, so I can only presume that there is some legal provision for the situations you've described.
On Tue, Jan 15, 2019 at 4:40 PM Matthew Hardeman <mharde...@gmail.com> wrote: > > > On Mon, Jan 14, 2019 at 5:45 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> > Am I wrong to expect US CAs to be monitoring OFAC sanctions lists? >> Otherwise they would risk violating the typical "comply with applicable >> law" stipulation in section 9 of their CPS'. >> > > I'm concerned that such a policy interpretation would necessarily imply > that the CA, in the routine course, might need to have an assertion as to > the individual / organization requesting or benefitting from the > certificate. While Let's Encrypt allows account registration to be > attached to an email address, I'm pretty sure they don't require it. > > I'm working from the assumption that the CAs in the US are following a > "most-conservative approach" legal guidance in determining whether or not a > given certificate that they might issue or may have issued constitutes a > covered dealing as defined in the various sanctions orders and laws (which > are numerous.) In the strictest literal sense, a CA is performing a > service (as in performing work upon the request of a party) at the behest > of a certificate requestor / subscriber -- who might in fact be unrelated > to the ownership of the DNS name which is incorporated in the certificate > (providing the requestor can succeed at validation. This would suggest > that providing service for the wrong requestor might be of more > significance to the sanctions rules than whether or not the target website > mentioned in the certificate is owned or operated by a sanctioned entity. > > There's also a reasonable case to be made that providing OCSP status > information over an unrelated third party's certificate, to and/or upon the > request of a sanctioned entity might be construed as providing service to a > sanctioned entity. > > I suppose my concern is that generally speaking, dns names aren't > sanctioned. Entities are. But in a domain validation environment, it is > reasonable to suggest that CAs pull in lists of entities and then monitor > these for domain names, the provenance of said domain names having not even > been required and/or established in the course of issuance? > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy