2025-10-08 –, Krakow/ Business Value & Enterprise Adoption
TLS 1.3 and QUIC lack native mechanisms for refreshing cryptographic keys or certificates during long-lived sessions which creates challenges for applications like always-on VPNs, IoT, or real-time streaming. This talk explores the security risks of long-lived sessions and reviews recent IETF work (Extended Key Update and Certificate Update) that aim to address these gaps. We’ll compare with TLS 1.2 renegotiation, highlight how other protocols like Wireguard, SSH and IKEv2 approach key rotation, and examine existing workarounds used in practice. The session is targeted at implementers, protocol designers, and security practitioners interested in evolving TLS and QUIC for modern use cases.
Long-lived TLS 1.3 and QUIC sessions are common in modern networks, but they come with hidden security risks. Without built-in mechanisms to refresh keys or certificates, these persistent connections can become weak points over time. This talk explains why it matters, how other protocols handle it, and what new solutions are emerging from the IETF. You’ll learn about two active proposals: Extended Key Update and Certificate Update that address some of the security challenges of TLS 1.3 and QUIC. If you build or operate systems that rely on long-lived secure connections, this session is for you.
Yaroslav Rosomakho is Chief Scientist at Zscaler, where he leads research and innovation in secure networking, infrastructure resiliency, protocol design, and post-quantum cryptography. He is an active contributor to the IETF, currently chairing the HPKE Working Group and contributing to TLS, QUIC, MASQUE, and HTTP. Yaroslav has authored and co-authored several Internet-Drafts focused on enhancing the security of long-lived encrypted sessions and enabling scalable identity frameworks. Prior to Zscaler, he served as Field CTO at Netskope and held various technical leadership roles at Arbor Networks. His current focus is on building cryptographically resilient systems for the next generation of cloud and zero-trust architectures.