RC RANDOM CHAOS

Let's Encrypt enforces sanctions no browser checks

Let's Encrypt's sanctions restriction gates issuance by geography, not risk. The Web PKI validates by reference, so only the issuer field changes.

· 7 min read
Let's Encrypt enforces sanctions no browser checks

Let’s Encrypt, operated by a United States legal entity, refuses to issue certificates for requests it associates with territories under United States sanctions. The refusal occurs at the policy layer, before domain validation runs. A request that would satisfy every technical requirement, that demonstrates control of its domain exactly as the protocol specifies, is declined if it resolves to a listed geography. The check consumes no information about the domain’s behavior, its software, its history, or its traffic. It consumes a location and a list.

Everything downstream of issuance continues unchanged. Certificates issued before the restriction validate until they expire. Browsers, operating systems, and TLS libraries consult no sanctions list during the handshake. The chain resolves, the signature verifies, the dates hold, the connection is marked secure. No relying party anywhere in the world behaves differently toward a certificate because of where its request originated.

Issuance also remains available through other certificate authorities admitted to the same root programs. A domain refused by one issuer obtains an equivalent certificate from another, and the resulting encrypted channel is cryptographically indistinguishable from the one it would otherwise have had. In the territories the restriction covers, the observable change in the TLS ecosystem is a string in the issuer field.

It did not start this way. The Web PKI was built on a deliberately narrow assertion: a certificate proves that, at a specific moment, the holder of a private key demonstrated control of a specific name. That is the entire claim. The assertion says nothing about lawfulness, intent, safety, or jurisdiction. The narrowness was the design. A system that certifies one verifiable fact can scale to hundreds of millions of names precisely because it refuses to certify anything else.

The trust model assumed that this assertion was transferable and persistent. Root programs admit roots. Roots delegate to intermediates. Intermediates sign leaves. Every relying party inherits the full chain, and validation is mechanical and identical everywhere the software runs. Trust granted at the root persists for years and propagates automatically to every certificate beneath it. Geography appears nowhere in the validation path because geography was never part of the assertion being validated.

The model also assumed that issuance criteria and validation criteria describe the same object: the binding between a key and a name. Whatever a certificate authority checked at issuance was assumed to be a property of the certificate’s subject. The certificate carried that property forward, and relying parties consumed it without re-verification, on the understanding that validity meant one thing and only that thing. Nothing more was asserted. Nothing more was checked.

What changed was not the cryptography, the protocol, or any capability on the other side of the connection. What changed is that one issuance pipeline absorbed an input unrelated to the binding it certifies: the legal classification of a geography. The assumption that issuance criteria describe the certificate’s subject no longer holds at that pipeline. One criterion now describes the issuer’s regulatory environment instead. The certificate still asserts domain control. The gate in front of it asserts something else entirely, and the two assertions share no common object.

Geography became a proxy, and the system optimized for the proxy. A request from a listed territory is refused regardless of what the domain does. A request from anywhere else proceeds regardless of what the domain does. The gate measures alignment with a list, not any security property of the thing requesting issuance, because the list is what carries consequence for the issuing entity and the list is what the pipeline can evaluate. The artifact of compliance became the objective of the control. Risk, the quantity the restriction is presumed to address, is never measured at any point in the transaction.

Meanwhile the validation side of the ecosystem re-evaluated nothing. Trust stores assembled over two decades continue to honor every chain they admitted. Certificates issued before the restriction validate until expiry. Certificates issued by the other roots in the same stores validate identically, everywhere, including inside the listed territories. The system did not reassess what a certificate means when one issuer changed its inputs. It inherited the meaning from past states and continued executing it. This is the general behavior of trust systems under jurisdictional pressure: the control attaches at the point of issuance, because that is where the legal entity sits, while trust is evaluated elsewhere, in software that consults no list and answers to no jurisdiction. The restriction changed which issuer appears in a certificate. It changed nothing about what the certificate does, where it works, or what relying on it means.

The restriction executes by reference at every stage. The gate resolves an address against a geolocation database, and the database against a sanctions list. Neither lookup measures anything about the requester. The location is itself an inference, a record in a commercial dataset asserting where an address block was assigned, accurate to whatever degree the dataset happens to be. The list is a legal document. The gate joins two references and produces a refusal. At no point does any component in the pipeline observe the domain it is refusing. The refusal is the output of a join operation between two artifacts, neither of which describes the subject of the certificate.

On the relying side, validation is also reference. A TLS client accepts a certificate because the signing chain terminates in a key that appears in its trust store, and the store is a set of references admitted years earlier under criteria the client never sees. The client does not evaluate the conditions under which the leaf was issued. It cannot see what the issuer checked or declined to check, and the protocol carries no field through which issuance policy could reach it. Acceptance depends entirely on the identity of the certificate’s source and not at all on the circumstances of its production. Identity of source replaced integrity of process, and the replacement is structural. There is no place in the handshake where the information the restriction encodes could be consumed even if a relying party wanted it.

So when a refused domain obtains an equivalent certificate from another authority in the same root programs, no control is bypassed. Every component executes its designed function. The second issuer validates domain control exactly as the protocol specifies. The chain resolves. The handshake completes. The restriction was scoped to a single node in a graph that was deliberately built so that no single node is load-bearing, and the graph routed around the gate the same way it routes around any unavailable issuer. Routing around individual issuers is the system’s redundancy operating as intended. The restriction did not fail. It was attached to a point the architecture treats as interchangeable.

The asymmetry is complete. The gate consumes a reference and produces a refusal. The ecosystem consumes a different reference and produces trust. The property the restriction is presumed to govern, risk, appears in neither dataflow. It exists in the policy document and nowhere in the transaction. In practice the system contains two reference resolutions that share no common object, and the activity being governed passes between them untouched.

The pattern is execution based on reference, not verification. A system performs an assessment once, at one point, encodes the result as an artifact, and every downstream component executes against the artifact. The artifact circulates. The assessment does not. Controls added later attach to the assessment point, because that is where a legal entity sits and where policy can bind. But the system runs on the artifact, and the artifact is honored by reference, everywhere, for its full lifetime, by components that cannot see the policy and were never designed to.

Correspondent banking executes the same mechanism. An institution screens a customer against the same sanctions lists at account opening. The screening produces an account, and the account number becomes the artifact. Every downstream system, the payment networks, the clearing layers, the correspondent chain, executes transfers by reference to the account’s validity. None of them re-runs the screening. A transaction settles because the reference resolves. When one institution refuses a customer, an institution in another jurisdiction issues an equivalent account, and the rails treat the two accounts identically because the rails consume account references, not screening outcomes. The control attaches at issuance. Execution happens by reference. The property being governed is never present in the transaction that matters.

In both systems the consequence has the same shape. The control produces measurable artifacts of enforcement, refusal counts, blocked requests, audit evidence, while the governed activity continues through an adjacent issuer of the same artifact class. The enforcement is real at the node where it runs and absent from the system in which the node sits. It did not disappear. It moved. The system optimized for what the gate can evaluate, and the gate can evaluate references. The list became the measurement. The artifact became the objective.

The Web PKI resolves trust once, at root admission. Everything after is reference. No list is consulted at the point where trust is actually spent.

A restriction placed at one issuer governs that issuer. It does not govern certificates, connections, or territories. The architecture was built so that it could not.

The refusal executes. The certificate issues elsewhere. The control exists. The outcome does not.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.