The main problem is the bureaucracy associated for this. Another issue is the ownership control of the organisation (DEP Cybersecurity), the organisation needs to be controlled by EU citizen and located in EU.

@EUCommission @letsencrypt @nlnet

I wish Australia would do something too, but we can't even organise an SSL certificate for a frequently accessed website like the national weather service...

bom.gov.au/

they can't. that'd completely go against their values.
this is like asking them to refuse letsencrypt in Russia, they can't. it's an automated certificate system, they can't just prevent the issuing certificates simply because of their party.

even big websites, like the national security agency, and even whitehouse.gov use letsencrypt as well, so it wouldn't be a good sign for anyone.

call me weird but the developments of @letsencrypt vs. @cacert shows everything wrong with the way #SSL works.

We would've had a superior alternative to #LetsEncrypt if #GAFAMs weren't able or even allowed to cockblock #CACert by refusing to import it's ROOT-CA, whilst every commercial #CA gets their keys imported, no matter how shit they are or that they are essentially a hostile state actor!

Fundamentaly, the design is flawed because DNS is not decentralized.

Got Dot?

I'm not a big fan of Let's Encrypt. I'd rather have the @EUCommission fund real grassroots efforts like @cacert

@letsencrypt @nlnet

LE is not the only Provider of free ACME-Issued certificates and some of the alternatives are even based in the EU.

@EUCommission @letsencrypt @nlnet

@dalias Last time I checked, every public CA must log in the CT log, and they must at least log into Google’s log.

So if Google refuses your log entry, doesn’t matter if your CA is European, the certificate won’t be valid.

EU had an initiative for European CA, with eIDAS, but instead of improving it we were just very much against it. We get the future we voted for.

blog.mozilla.org/en/security/m…

Mozilla and the EFF publish letter about the danger of Article 45.2

Technical experts at Mozilla and many other organizations have all spoken out about how these requirements would be bad for the web.

^{Eric Rescorla (The Mozilla Blog)}

Let's Encrypt states they are protecting 550M websites with their certificates. Imagine everyone would donate 1 cent per certificate per year. Yeah I know, payment processor fees, but hear me out: If Let's Encrypt would end up with 1 cent per certificate... this would mean 5.5 million Dollars per year. For each one of us it's just a few cents plus fees. But for them it would be about 7 times the amount they are endangered to loose now.

Yes, the EU could chip in for the US...

But so can we.

@EUCommission @letsencrypt @nlnet @dickenhobelix

EU really needs to take charge here. Let's Encrypt is essential.

Achim provides a bit more context about this move and the dubious legalities of cutting off OTF here:

eupolicy.social/@achimkla/1142…

Unfortunately it seems a number of Small Web/FOSS projects are affected by this.

Achim Klabunde

2025-03-23 13:24:53

OpenTechFund operated on budget committed by the US Congress. The US President cannot stop funding that the parliament has decided on. However, what he claims to be allowed to do is to reduce the staff of the agency in charge of administration of these funds so that it no longer can do its work.
What do you expect when government is handed over to BigTech?
Source (in German): netzpolitik.org/2025/projekte-…

Projekte für Internetfreiheit: Open Technology Fund steht vor dem Aus

Nun hat der Trumpsche Kahlschlag auch den Open Technology Fund erreicht. Das US-Projekt finanziert Projekte mit, die sich weltweit für die Internetfreiheit einsetzen. Damit ist vorerst Schluss, gab die OTF-Präsidentin Laura Cunningham bekannt.

^{netzpolitik.org}

OTF is just one of many, many sponsors of Let's Encrypt.

abetterinternet.org/sponsors/

Moving is highly non-viable - it would likely jeopardize at least some of their other funding, and it would be a physical and logistical nightmare. There are elaborate protocols for root key treatment involving recorded ceremonies and tamper-evident bags and such just for key signing - trying to move that all anywhere in the US would be stupidly hard, much less out of the country. It's a non-starter.

What is far more viable is for one or more new orgs to duplicate what Let's Encrypt did and set up a free trusted cert signing service - redundancy here would be welcome. The work of defining a protocol and mechanisms is already done. I just hand-waved away a ton of ugly - but it'd still be far faster and easier than trying to move Let's Encrypt physically out of the US.

Sponsors and Donors

Sponsors and Donors Those who make our work possible. Become a sponsor or donor Let's change the world. Or at least the Internet. A handful of organizations and a few thousand people provide 100% of our funding.

^{Internet Security Research Group}

We already have multiple European alternatives to @letsencrypt

We have ZeroSSL (Austria) and Buypass Go SSL (Norway).

So no problem here.
#LetsEncrypt

We need CACert more than ever now

cacert.org/

@opalfrost The thread’s broken. This was meant to be a reply to the four freedoms post?

Let’s Encrypr runs Boulder, released under MPL: github.com/letsencrypt/boulder

Afaik, everything they do is released under an open source license.

GitHub - letsencrypt/boulder: An ACME-based certificate authority, written in Go.

An ACME-based certificate authority, written in Go. - GitHub - letsencrypt/boulder: An ACME-based certificate authority, written in Go.

^GitHub

Why move? They publish their tools, and the legal framework needs to be done again anyway. Let's set up a parallel one here.

There are 13 DNS root servers, I think we should have at least two free public certificate authorities. (Or, dun'no, maybe one per continent if the others want to do it too).