An Efficient TLS 1.3 Handshake Protocol with VC Certificate Type
Leonardo Perugini, Andrea Vesco
TL;DR
The paper tackles the challenge of deploying Self-Sovereign Identity in IoT by enabling Verifiable Credentials in the TLS 1.3 handshake without breaking RFC-8446. It introduces a VC certificate type and a did_methods extension, allowing VC/DID-based authentication to run alongside traditional PKI, with a fallback path to preserve interoperability. Implementation is achieved with minimal changes to OpenSSL, offloading VC/DID logic to an external ssi provider that interfaces with the IOTA Identity library. Experimental evaluation on Raspberry Pi hardware shows the VC-enabled handshake is feasible and achieves performance close to PKI-based approaches, especially when using an IPSec path to the DLT, indicating practical viability for large-scale IoT deployments.
Abstract
The paper presents a step forward in the design and implementation of a Transport Layer Security (TLS) handshake protocol that enables the use of Verifiable Credential (VC) while maintaining full compliance with RFC-8446 and preserving all the security features of TLS 1.3. The improvement over our previous work lies in the handshake design, which now only uses messages already defined for TLS 1.3. The design has an incredibly positive impact on the implementation, as we made minimal changes to the OpenSSL library and relied mostly on a novel external provider to handle VC and Decentralized IDentifier (DID) related operations. The experimental results prove the feasibility of the design and show comparable performance to the original solution based on Public Key Infrastructure (PKI) and X.509 certificates. These results pave the way for the adoption of Self-Sovereign Identity in large-scale Internet of Things (IoT) systems, with a clear benefit in terms of reducing the cost of identity management.