Mastodawn

A bit disappointed to see ISRG/LetsEncrypt fall inline with the US's punitive sanctions, now effectively illegal for use by any in the long list of territories the US gov seeks to push down.

That's a lot of people and NGOs doing good work in places that need it, and for whom commercial SSL/TLS certs may be prohibitively expensive.

Screenshot from the new Subscriber Agreement, shared to me by @themadhatter, whom alerted me to this change.

https://linuxiac.com/lets-encrypt-certificate-rules-now-include-u-s-sanctions-warranties/

Show thread

RevK

2d ago

@JulianOliver @themadhatter @Binder the only option is LE setting up separate national entities. A good idea if they can.

Show thread

Dr. Bruce Simpson

@revk @JulianOliver @themadhatter @Binder per nation-state entities would only mitigate some of this. TL;DR there's no substitute for building one's own CA despite how totally ass it is so I guess I should invest in the necessary pkcs#11 compatible dancing dogshit as before. also RFC 7258, witness the uninvited guests arrive as soon as the CT logs update who, they must be told, to go and fetch their f**king shine box like Joe Pesci got told in GoodFellas.

Show thread

Dr. Bruce Simpson 1d ago

@revk @JulianOliver @themadhatter @Binder in the 00s I co-developed an automated system for bootstrapping FreeBSD-based Asus Eee devices with the late Alexei Blinov which employed OpenVPN and a Python based CA to build private clouds with auto-enrolment. code lost to the wind. these days DANE which implies DNSSEC is another starting point, I am a bit miffed people aren't doing much about SSHFP in mDNS for IoT and local nodes though