The centralized PKI is not a suitable solution to provide identities in large-scale IoT systems. The main problem is the high cost of managing X.509 certificates throughout their lifecycle, from installation to regular updates and revocation. The Self-Sovereign Identity (SSI) is a decentralised option that reduces the need for human intervention, and therefore has the potential to significantly reduce the complexity and cost associated to identity management in large-scale IoT systems. However, to leverage the full potential of SSI, the authentication of IoT nodes needs to be moved from the application to the Transport Layer Security (TLS) level. This paper contributes to the adoption of SSI in large-scale IoT systems by addressing, for the first time, the extension of the original TLS 1.3 handshake to support two new SSI authentication modes while maintaining the interoperability with nodes implementing the original handshake protocol. The open source implementation of the new TLS 1.3 handshake protocol in OpenSSL is used to experimentally prove the feasibility of the approach.

翻译：集中式公钥基础设施（PKI）并不适合为大规模物联网系统提供身份认证。其主要问题在于管理X.509证书全生命周期（从安装、定期更新到撤销）的高昂成本。自主权身份（SSI）作为去中心化方案，可减少人工干预需求，有望显著降低大规模物联网系统中身份管理的复杂性和成本。然而，要充分发挥SSI的潜力，物联网节点的身份认证需要从应用层迁移至传输层安全（TLS）协议层面。本文通过首次扩展原始TLS 1.3握手协议以支持两种新型SSI认证模式（同时保持与实现原始握手协议节点的互操作性），推动了SSI在大规模物联网系统中的应用。基于OpenSSL中新型TLS 1.3握手协议的开源实现，实验证明了该方法的可行性。