Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identifiers (DID) alongside distributed ledger technology, it becomes technically feasible to prove ownership of a unique identifier without requiring an attestation of the proof's public key by a centralized and therefore vulnerable CA. This article presents DID Link, a novel authentication scheme for TLS 1.3 that empowers entities to authenticate in a TLS-compliant way with self-issued X.509 certificates that are equipped with ledger-anchored DIDs instead of CA-issued identifiers. It facilitates the exchange of tamper-proof and 3rd-party attested claims in the form of DID-bound Verifiable Credentials after the TLS handshake to complete the authentication with a full identification of the communication partner. A prototypical implementation shows comparable TLS handshake durations of DID Link if verification material is cached and reasonable prolongations if it is obtained from a ledger. The significant speed improvement of the resulting TLS channel over a widely used, DID-based alternative transport protocol on the application layer demonstrates the potential of DID Link to become a viable solution for the establishment of secure and trustful end-to-end communication links with decentrally managed digital identities.

翻译：TLS中的认证主要依赖于由证书颁发机构（CA）签发的X.509数字证书。然而，当前公钥基础设施的中心化特性带来了严重风险，例如单点故障和易受网络攻击，可能危及整个系统的安全性与可信度。借助去中心化标识符（DID）与分布式账本技术，无需依赖中心化且易受攻击的CA对证明公钥进行认证，即可从技术上实现唯一标识符所有权的证明。本文提出DID Link——一种面向TLS 1.3的新型认证方案，该方案使实体能够以兼容TLS的方式，通过配备基于账本锚定的DID（而非CA签发的标识符）的自签发X.509证书进行认证。在TLS握手完成后，该方案支持以DID绑定的可验证凭证形式交换防篡改且经第三方认证的声明，从而通过通信伙伴的完整身份识别完成认证。原型实现表明，若验证材料被缓存，DID Link的TLS握手时长与常规方案相当；若从账本获取验证材料，则会产生合理的延迟。与广泛使用的基于DID的应用层替代传输协议相比，DID Link所建立的TLS信道在速度上实现了显著提升，这展示了其成为使用去中心化管理数字身份建立安全可信端到端通信链路的可行方案之潜力。