> Has letsencrypt been served with a subpoena?

While it's certainly possible that ISRG has been served a subpoena because it appears the US DOJ is now a mix of hacks and incompetent buffoons, it wouldn't matter because the whole point is that they don't know anything - what you told them is literally logged publicly for everybody to see without even knowing how to spell "subpoena" let alone issue one.

Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena - but the whole fucking point of a Public Key Infrastructure is that we're using Public Key Encryption, if we were OK with everybody having secrets all over the place this entire thing wouldn't be needed.

▲

basilikum an hour ago | parent [-]

They have the secret of the private keys used to sign certificates.

Looking at LavaBit^1 I really would not be so comfortable. The world and especially the US has not gotten more free since then.

[1]https://en.wikipedia.org/wiki/Lavabit

▲

tialaramex 7 minutes ago | parent [-]

They could mint certificates, for / about any name. But, those certificates won't work in popular applications unless the certificates include proof of logging.

So to be effective this means a hypothetical bad actor (maybe the US government or anybody else) issues bogus certificates, then either logs them - making a permanent record for everybody to see, or also subverts two or more logs, so that they issue bogus proofs.

This is a very expensive one shot attack on whatever the target would be, I guess it's not stupider than "Let's bomb Iran for no good reason" but it's up there.

	▲	basilikum 5 minutes ago \| parent [-]
		For the vast majority of cases, would anyone notice these malicious certificates being created and logged?