Cloud-mediated IoT architectures fragment authentication across vendor silos and create latency and availability bottlenecks for cross-vendor device-to-device (D2D) interactions. We present Atlas, a framework that extends the Web public-key infrastructure to IoT by issuing X.509 certificates to devices via vendor-operated ACME clients and vendor-controlled DNS namespaces. Devices obtain globally verifiable identities without hardware changes and establish mutual TLS channels directly across administrative domains, decoupling runtime authentication from cloud reachability. We prototype Atlas on ESP32 and Raspberry Pi, integrate it with an MQTT-based IoT stack and an Atlas-aware cloud, and evaluate it in smart-home and smart-city workloads. Certificate provisioning completes in under 6s per device, mTLS adds only about 17ms of latency and modest CPU overhead, and Atlas-based applications sustain low, predictable latency compared to cloud-mediated baselines. Because many major vendors already rely on ACME-compatible CAs for their web services, Atlas is immediately deployable with minimal infrastructure changes.

翻译：云中介物联网架构将认证分散在各厂商孤岛中，并为跨厂商设备间（D2D）交互带来延迟与可用性瓶颈。本文提出Atlas框架，通过厂商运营的ACME客户端及厂商控制的DNS命名空间为设备颁发X.509证书，从而将Web公钥基础设施扩展至物联网领域。设备无需硬件改造即可获得全局可验证身份，并能够跨管理域直接建立双向TLS通道，实现运行时认证与云端可达性的解耦。我们在ESP32与树莓派平台上构建Atlas原型，将其与基于MQTT的物联网协议栈及支持Atlas的云平台集成，并在智能家居与智慧城市场景下进行评估。单设备证书配置可在6秒内完成，双向TLS仅增加约17毫秒延迟与适度CPU开销，且基于Atlas的应用相较于云中介基线方案能持续保持较低且可预测的延迟。由于多数主流厂商的Web服务已依赖ACME兼容的证书颁发机构，Atlas仅需最小化基础设施改造即可立即部署。