Abstract:Authentication in TLS is predominately carried out with X.509 digital certificates issued by certificate authorities (CA). The centralized nature of current public key infrastructures, however, comes along with severe risks, such as single points of failure and susceptibility to cyber-attacks, potentially undermining the security and trustworthiness of the entire system. With Decentralized Identifiers (DID) alongside distributed ledger technology, it becomes technically feasible to prove ownership of a unique identifier without requiring an attestation of the proof's public key by a centralized and therefore vulnerable CA. This article presents DID Link, a novel authentication scheme for TLS 1.3 that empowers entities to authenticate in a TLS-compliant way with self-issued X.509 certificates that are equipped with ledger-anchored DIDs instead of CA-issued identifiers. It facilitates the exchange of tamper-proof and 3rd-party attested claims in the form of DID-bound Verifiable Credentials after the TLS handshake to complete the authentication with a full identification of the communication partner. A prototypical implementation shows comparable TLS handshake durations of DID Link if verification material is cached and reasonable prolongations if it is obtained from a ledger. The significant speed improvement of the resulting TLS channel over a widely used, DID-based alternative transport protocol on the application layer demonstrates the potential of DID Link to become a viable solution for the establishment of secure and trustful end-to-end communication links with decentrally managed digital identities.

What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper aims to solve the security and trust problems caused by relying on the centralized public key infrastructure (PKI) for authentication in the current Transport Layer Security (TLS) protocol. Specifically: 1. **Limitations of Centralized PKI**: - The current TLS protocol mainly uses X.509 digital certificates issued by Certificate Authorities (CA) for authentication. - Centralized PKI has the risks of single - point failure and being vulnerable to network attacks, which may damage the security and credibility of the entire system. 2. **Introduction of Decentralized Identifiers (DID) and Verifiable Credentials (VC)**: - DID and VC are important components proposed by W3C for decentralized identity management. DID allows entities to have full control over their unique identifiers, while VC is used to provide trusted statements about entity identities during the verification process. - These technologies can reduce the dependence on centralized CAs, thereby improving the robustness and security of the system. 3. **Improving TLS Authentication by Combining DID and VC**: - The paper proposes a new authentication scheme named DID Link, which enables the two communicating parties in TLS 1.3 to use self - signed X.509 certificates (containing DID) for pseudo - anonymous authentication. - After the TLS handshake is completed, the two communicating parties can complete the identity identification of the principal by exchanging VC bound to DID, ensuring the true identity of the communication partner. 4. **Maintaining TLS Compatibility**: - The design of DID Link maintains full compatibility with the existing TLS 1.3 standard, while introducing a new authentication mechanism to fully utilize the advantages of decentralized identity management, such as enhanced data privacy protection, higher robustness and security. Through these improvements, DID Link aims to establish a more secure and trustworthy end - to - end communication link, especially in the context of Web 3.0, taking advantage of distributed ledger technology and decentralized applications (dApps).

DID Link: Authentication in TLS with Decentralized Identifiers and Verifiable Credentials

LinkDID: A Privacy-Preserving, Sybil-Resistant and Key-Recoverable Decentralized Identity Scheme

An Efficient TLS 1.3 Handshake Protocol with VC Certificate Type

Distributed Certification Application Via a Trusted Dealer

CanDID: Can-Do Decentralized Identity with Legacy Compatibility, Sybil-Resistance, and Accountability

Distributed-Ledger-based Authentication with Decentralized Identifiers and Verifiable Credentials

A Survey on Decentralized Identifiers and Verifiable Credentials

FutureDID: A Fully Decentralized Identity System with Multi-Party Verification

Blockchain-based TLS Notary Service

A Novel DID Method Leveraging the IOTA Tangle and its Integration into OpenSSL

Authenticated Confidential Channel Establishment and the Security of TLS-DHE

DID:RING: Ring Signatures using Decentralised Identifiers For Privacy-Aware Identity

Trustchain -- Trustworthy Decentralised Public Key Infrastructure for Digital Credentials

SS-DID: A Secure and Scalable Web3 Decentralized Identity Utilizing Multi-Layer Sharding Blockchain

An Information-Centric Networking Based Registry for Decentralized Identifiers and Verifiable Credentials

A V2X Access Authorization Mechanism based on Decentralized ID (DID) and Verifiable Credentials (VC)

On the Integration of Self-Sovereign Identity with TLS 1.3 Handshake to Build Trust in IoT Systems

DECO: Liberating Web Data Using Decentralized Oracles for TLS

TDID: Transparent and Efficient Decentralized Identity Management with Blockchain

A Comprehensive Approach to User Delegation and Anonymity within Decentralized Identifiers for IoT

CertChain: Public and Efficient Certificate Audit Based on Blockchain for TLS Connections