The centralized PKI is not a suitable solution to provide identities in large-scale IoT systems. The main problem is the high cost of managing X.509 certificates throughout their lifecycle, from installation to regular updates and revocation. The Self-Sovereign Identity (SSI) is a decentralised option that reduces the need for human intervention, and therefore has the potential to significantly reduce the complexity and cost associated to identity management in large-scale IoT systems. However, to leverage the full potential of SSI, the authentication of IoT nodes needs to be moved from the application to the Transport Layer Security (TLS) level. This paper contributes to the adoption of SSI in large-scale IoT systems by addressing, for the first time, the extension of the original TLS 1.3 handshake to support two new SSI authentication modes while maintaining the interoperability with nodes implementing the original handshake protocol. The open source implementation of the new TLS 1.3 handshake protocol in OpenSSL is used to experimentally prove the feasibility of the approach.

翻译：集中式公钥基础设施（PKI）并不适合为大规模物联网系统提供身份认证。其主要问题在于管理X.509证书从安装、定期更新到撤销的整个生命周期成本过高。自我主权身份（SSI）作为一种去中心化方案，能减少人工干预需求，因此有望显著降低大规模物联网系统中身份管理的复杂性和成本。然而，为充分发挥SSI的潜力，物联网节点的身份认证需从应用层迁移至传输层安全（TLS）层面。本文首次通过扩展原始TLS 1.3握手协议以支持两种新型SSI认证模式，同时保持与执行原始握手协议的节点的互操作性，从而推动SSI在大规模物联网系统中的采用。基于OpenSSL中新型TLS 1.3握手协议的开源实现，通过实验验证了该方法的可行性。