← Back to context

Comment by LinuxBender

3 years ago

I use those as well. I am curious if there has ever been a case where LetsEncrypt were legally compelled to create exemptions for domains as in ignoring CAA and not logging to the transparency log or to just outright issue certs to an agency for specific names. CAA account and method restrictions would be negated at that point.

The more I think about it I would wager that Linode and Hetzner were just law enforcement having good taste in VPS providers. It's more likely to me that LE was the compelled target.

Let’s Encrypt publishes legal transparency reports on what law enforcement asks us.

https://letsencrypt.org/documents/ISRG-Legal-Transparency-Re...

We’ve never been ordered to issue a certificate.

While I am a Let’s Encrypt employee, this message is not an official communication of Let’s Encrypt and shouldn’t be interpreted as such.

  • I appreciate that. I assume that would not cover and NSL which is also a gag order but nice that you have something for all other above board legal requests. I see you have a column for NSL but have no idea how that could ever increment without violating the NSL.

    For some background I've spent a good deal of time with lawyers and C-Levels playing devils advocate trying to find a way to indirectly notify customers but it's just not legally possible in the United States of America and there is nobody that would risk violating one. People here on HN often bring up canaries but they are not compatible with a NSL.

    • Other entities that publish transparency reports and that have received NSLs have reported them in bucketed ranges. I forgot the exact granularity.

      It does not appear that NSLs compel arbitrary actions or require the recipient to actively lie about having received one.

    • they could go the extra mile there and put a canary page about not having accepted any gag orders (which they could remove when they do)