On desktops browser displaying the fingerprint/hash requires clicks, on mobile is not implemented and on native apps practically not existing.

The keys should be shown, so they could be verified manually in person or via other channel. Just like the SSH do. Someone say people would just click "accept" without a thought, but the button is already here, just no information what actually is accepted.

But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time

When I read it, I interpreted it as "let's encrypt bans certificate usage in - any territories endorsed by the US". Took me reading a couple comments to understand it actually meant "territories under US sanctions".

But can we still trust them?

I am not well versed in how their systemwide certificate issuance works: If they have to add this to their terms to comply with their government, could the same government use pressure to leverage let’s encrypt to do harm.

I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).

Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.

In reality of course you can probably just ignore this as long as you request the certificate from a proxy in a nonsanctioned country and you don't stick out to the government.

Genuine question! Because I assumed there were other places you could get a SSL certificate, but people in this thread seem to be implying that without Let's Encrypt, there's no way for people in those sanctioned territories to get a cert.