Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?
Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.
Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;
> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).
> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
They could, but if the branch didn’t follow these laws, the main US branch would still be liable.
It's about time SOME entities start moving from US entirely.
RISC-V Foundation did.. though they go out of their way to talk about it in terms that try not to piss anyone off..
> "Across 2018-2019, the RISC-V community has reflected on the geo-political landscape and we have heard concerns from around the world that investment in RISC-V must come with IP access continuity to ensure a long-term strategic investment. We first mentioned our intentions to move at the December 2018 summit. Incorporation in Switzerland has the effect of calming concerns of political disruption to the open collaboration model. RISC-V International does not maintain any commercial interest in products or services as a non-profit, membership organization. There have not been any export restrictions on RISC-V in the US and we have complied with all US laws. The move does not circumvent any existing restrictions, but rather alleviates uncertainty going forward.
> In March 2020, the RISC-V International Association was incorporated in Switzerland. Along with this, we shifted to a new, more inclusive membership structure. Members of RISC-V International have access to and participate in the development of the RISC-V ISA specification and extensions as well as related hardware and software. RISC-V has a Board of Directors composed of member representatives as well as a Technical Committee of work group leaders."
> RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years.
> The IP contributed and produced by RISC-V International is held under industry and global standard licenses that are already open to leverage by any company regardless of jurisdiction. This licensing is a common open source approach to foster collaboration that is not tied to any geographic regulation. IP in the public domain has not been subject to export control.
https://riscv.org/about/
The RISC-V foundation and related companies also got a bunch of money from Europe. I am not so sure this was about leaving a repressive regime as much as chasing the European "homegrown computing" money.
Other countries sanction each other too.
This is not about countries sanctioning each other. This is the US sanctioning a local company because a foreign company doesn’t follow certain US laws in foreign soil, where such laws don’t apply.
It’s a bit like the US arresting your mom at home in Texas because you ate a baggie of magic truffles in Amsterdam.
You're being very vague. Please explain what you mean? I don't see anything here about the US "sanctioning a local company," and I'm not aware of that being possible under US law.
"Clarifying Lawful Overseas Use of Data (CLOUD) Act."
Please see my answer to the sibling comment.
The way you are using these words seems to indicate you might be confused about how this works.
The US has not "sanctioned" LetsEncrypt or ISRG. The US sanctions foreign entities as punishment for various reasons precisely because they are not subject to US law. That's the entire point of leveraging a sanction -- to pressure those outside of your legal jurisdiction. If they were in your jurisdiction, you'd simply arrest them.
People and organizations basically anywhere not permitted to do business with anyone your country has sanctioned. Anyone who does business internationally should be aware of their country's sanctioned list. That applies no matter where you live on the planet.
This is not that though.
This is literally about a company that has a branch in the USA and another branch in another country, where it's bound by that country's laws. If the foreign entity which just so happens to be commercially linked to the one in the USA has any dealings with countries sanctioned by the US, the US branch is punished.
There was a case a few years ago where a public University in Brazil bought lab computers from Dell Brasil. Dell Brasil is a subsidiary of Dell, but it's 100% incorporated in Brazil, the computers were manufactured in Brazil, everything following Brazilian law. The computers were delivered with terms of service that prohibited them from being used for any dealings with US-sanctioned countries such as Iran and Cuba. The University was caught by surprise and questioned it, since they had many academic links with Cuban Universities, and Dell Brasil explained that.
I don't know how the whole ordeal ended. The Brazilian Federal Government got involved, I believe the Ministry of Exterior and the Ministry of Commerce and Industry both got involved and were at one point going to sue Dell Brasil. I suspect it ended with the University returning the computers and purchasing from another supplier.
The suggestion that Let's Encrypt could work around US sanctions by opening a branch in the EU falls under similar conditions, and the US branch would be liable if the EU subsidiary had dealings with US-sanctioned countries.
Incorporating a subsidiary in a foreign country doesn't make the parent company immune to the legal obligations it has in it's home country. It would be absurd if that were the case. Sometimes people try setting up subsidiaries overseas to hide their evasion of the law, but it is illegal to do so.
You may call it a subsidiary all you want, but it's still a company that's wholly incorporated in foreign soil, doing business in foreign soil.
At least in Brazil, companies that operate there must obey local laws. What happens when those laws are in contradiction with US laws, like in the example I cited? Is Brazil supposed to cave? Is Brazil supposed to keep fining Dell Brasil until it folds? Maybe prosecute Dell Brasil's directors for actively and repeatedly disregarding the law and fines?
How does that work on a global scale?
I'll say again, this is not about a US company opening a foreign subsidiary to do things in the US that are forbidden in the US. This is about a company incorporated abroad having to follow US laws while operating wholly abroad. This is a breach of sovereignty however you look at it.
It is plainly routine for a company to have to deal with multiple legal jurisdictions at a time.
Yes, sometimes this causes compliance complication. This isn't unusual, it happens frequently.
Ultimately, every government exercises the laws of their country as they see fit, using the enforcement tools they have available to them. These rules often extend outside of their borders and apply to foreign or partially-foreign entities depending on the situation. The only limits on this are the practical means of enforcing it.
Dell Brazil would have been subject to Cuba sanctions because it was controlled by the US parent company. The US has obvious jurisdiction over Dell Technologies the parent company, and the nexus to enforce it.
Nothing you are are describing is even remotely unique to the US. No country is going to let you set up a foreign subsidiary to launder goods around sanctions law. If they did, everyone would do that and nobody would ever follow sanctions.
> Incorporating a subsidiary in a foreign country doesn't make the parent company immune to the legal obligations it has in it's home country.
We're not talking about legal obligations in its home country though. I can buy Jack Daniels at age 19 in my country from their local subsidiary, and no-one thinks that this should be a crime for their US parent company because the US drinking age is higher. (Of course it would be a crime for either the parent or the subsidiary to sell to 19 year olds in the US)
(No-one is blaming Dell or Let's Encrypt here, to be clear, it's the US' excessive extraterritorial laws that are the problem)
If you are in the US you must ensure that your local company, and any sub-entity you control abroad complies with sanctions law. That is US law, and the US can apply that law to Dell the parent company, because it is in the US and controls the subsidary.
> I can buy Jack Daniels at age 19 in my country from their local subsidiary, and no-one thinks that this should be a crime for their US parent company because the US drinking age is higher.
Because there is no US law that says you cannot sell alcohol to people abroad under 19. Heck, there's no US federal law that says Jack Daniels can't sell to people in the US under 19, either. And in fact, there are some places in the US where you can legally drink at 18, e.g. Puerto Rico. But if the US congress wanted to pass one of these laws and enforce it, it could.
US sanctions law saying that you must not transfer X from the US to Iran, directly or indirectly, is reasonable. US sanctions law saying that you must not transfer X from Brazil to Iran is gross overreach. Yes, of course the US can apply its absurdly extraterritorial laws to any parent company in the US, just as Iran could penalise any Iranian company whose US subsidiary distributed a depiction of the prophet or whatever, but that doesn't make it good law or good practice.
That's a fair opinion to have.
But the US isn't really unique in applying their laws extraterritorially. See GDPR, Universal jurisdiction laws, China's National Security Law, etc... Every jurisdiction with sizable power does it. Some of these are even more extraterritorial in scope than US sanctions are.
> GDPR
Only applies to EU citizens' personal data, so while technically extraterritorial it doesn't feel like overreach in the same way.
> Universal jurisdiction laws
Rightly controversial when applied beyond things that are internationally agreed to be crimes against humanity, like torture or genocide.
> China's National Security Law
A perfect example of the kind of thing that the US used to define itself in opposition to.
Nations are sovereign and those with the might to push their requirements on others can do so. But I liked it better when we had a sense of the value of an open international order, where things like internet protocols were shared standards that everyone would collaborate on other than a handful of pariah states.
The difference between any of these is just a matter of opinion on what sovereignty means, what or who or where it applies to, what is a “human rights violation”, and who has the bigger britches to back it up. /shrug
Meh. You can fall back on might makes right and a Hobbesian war of all against all, or you can recognise that the Westphalian system has brought immense value to humanity and is worth trying to preserve and build on. There will always be disputes about how to extend our principles into new domains, but that doesn't mean those disputes are insoluble or that a few disagreements mean we should tear down the whole project.
>Only applies to EU citizens' personal data
That's not true.
The GDPR applies to the personal data of anyone physically in the EU, to the extent that the data are processed[0] while they are in the EU.
It also applies to the personal data of anybody anywhere in the world if the data controllers are based in the EU.
The reason why it's different to US sanctions/export controls is that the GDPR doesn't say you can't work with certain people in certain circumstances because of who they are in order to punish those people for whatever reason. It's fundamentally to protect the data subjects.
[0] which includes collection of said data
Why didn't the university just ignore the terms of service?
I don't know, and to be fair they might have done just that - and it wouldn't surprise me if that happened with the blessings of the Federal Government.
As I mentioned, I didn't follow up on the story and in fact when I searched for it a few years ago, I couldn't even find the original articles any more.
Ah, so it would be like the EU fining a US based company for not following certain GDPR laws even if they don't have a presence in the EU? Definitely would never happen!
They mostly don't.
Or rather, when other countries say "sanctions", they are almost always talking about something completely different than the United States.
This is part of why the EU is looking to move away from US-based infrastructure. The CLOUD Act basically lets Washington have an off-switch on your computing infrastructure as well as giving Washington unlimited access to any data on your computers (or that passes through them).
Just close down completely in the US and move to the EU
And then what? Be subject to similar sanctions from a different governing body?
e.g. https://www.consilium.europa.eu/en/policies/sanctions-agains...
Why, so they can be forced to enforce content restrictions on any provider that wants an SSL restriction?
So simple, just uproot your lives and move to a different continent 4heads!
What if the branch in Iran was the main branch?
It shouldn't be located in Europe (because, as you said, US minions are no better than the US itself). Instead it should move to a neutral country, somewhere like Singapore or Uruguay.
Suddenly the idea of having a CA hosted in space on a satellite issuing certs seems like a good idea.
New startup idea: Starlink for TLS.
You're assuming that satellites are exterritorial. They aren't, they're ab initio the launching state's property and responsibility, barring other agreements to transfer them - and getting one out into a "legal void" isn't going to be trivial.
Over the centuries I am sure there will be random satellites that are defunct that will be hacked or otherwise "taken over" by someone with the right skills. These things are tiny compared to the distances involved and in the future you might end up using them as data reservoirs since in many cases it will be cost prohibitive for any authority to go collect or otherwise stake authority over an old piece of hardware considered junked.
In a hundred years, sure. Current satellites have neither storage nor compute capabilities of note.
That said, they don't have to grab the satellite. They have to grab you. Computer vandalism/sabotage/... laws in a lot of legal systems already apply to the controlling people in their home location regardless of the physical location/origin of the computer activity. Your controlling the computer/satellite/botnet/... is the illegal act, not the network packets leaving those systems.
They'll have to identify you first though, which might give some legal shielding.
A ship in international waters with satellite internet connection would be much cheaper, except it runs into the same problems as described by the sibling comment: https://news.ycombinator.com/item?id=48469397
You don't get 1,361 W/m² of continuous free energy when you're Earth bound and all those pesky water molecules.
> free energy
It is free only if you ignore the cost of getting the thing into the orbit in the first place.
Edit: also, AFAIK, normal microchips (without special radiation hardening) don't last that long in space
Also, pirates
There are other non-US equivalents to Lets Encrypt.
Let's encrypt is not some code or even a company that you can split into different branches. Their existence is one based on trust relations that let's encrypt has with browsers and operative systems. It is in one part similar to both domain names and IP address space, in that the technical aspects of creating alternative roots is almost trivial in comparison to getting the trust that is required for an alternative root to be accepted by the rest of the world.
Let say someone created an Russian Let's Encrypt. It has all the technical aspects as regular LE in that you can request a certificate and get one through an acme challenge. That is all great and all, but no browser will recognize it as valid. No operative system will recognize it as valid. The Russian state might add the new LE as valid for government computers, but the real work would be to get any other participants in the world to do the same. The issue is not a technical one but rather a social one that is built on trust.
When Russia invaded Ukraine there was a major discussion if IANA/ICANN should have disconnected Russia from domain names and IP addresses. That discussion ended on a decision to not do that because the symbolic benefit was deemed minor compared to the harm to the system in large, especially once the war end. If you got two roots, then a domain name or IP address can now suddenly have two locations, and it would be a massive pain to try fix it even if people wanted to fix it. Certificate Authorities do not share this trait since there can be an almost unlimited number of roots and none of them can conflict with each other (assuming no hash collision). If Russia spins up a new CA then people can use that one today if they want to, and they can continue to do so after the war has ended.
Russia already has its own root CA, the issue is that state-owned root CAs are by definition not safe from MITM attacks by the same government.
completely independent entity would be far better option. Protocol is open after all, just need pointing to different vendor