Hoss Shafagh, Netflix
The TLS trust and Web PKI ecosystems are undergoing rapid and foundational shifts. Root programs will enforce stricter policies; root certificates will have an active lifetime of 10 years, and server certificates can be valid for no more than 47 days by 2029. These changes are designed to promote crypto-agility and resilience, but they also create new operational and security challenges across the ecosystem.
In this talk, we explore the concept of trust agility in practice: the ability to securely and rapidly update trust relationships as cryptographic standards, certificate authorities, and threat models evolve. While browsers can update quickly, consumer devices have a slower upgrade cycle, especially in developing countries. Meanwhile, machine-to-machine communication and non-browser use cases increasingly fall outside the scope of traditional browser-based trust models.
Drawing from real-world experience, we will discuss strategies for achieving trust agility, focusing on automation and lifecycle-aware certificate management across diverse endpoints. Attendees will walk away with concrete techniques for navigating the modern TLS Trust landscape and future-proofing their PKI infrastructure.
Hoss Shafagh is a staff security software engineer at Netflix with over a decade of experience designing and developing secure systems. His work includes designing foundational services for Public Key Infrastructure, TLS certificate lifecycle management, and workload identities. Hoss leads Netflix's crypto-agility efforts, which focus on developing the capability to adapt to algorithmic deprecations and evolving cryptographic threats, including those posed by post-quantum computing. He holds a Ph.D. in computer science from ETH Zurich, Switzerland, where he specialized in encrypted data processing and cryptography-based authorization systems.
