Integrating the Self-Sovereign Identity in the TCP/IP Stack While Preserving Interoperability with Existing Identity Models

Self-Sovereign Identity (SSI) is an emerging decentralised identity model that gives peers full control over the data they use to create and prove identity. This new model is based on three fundamental elements: Verifiable Data Registry as the root-of-trust for public keys, Decentralised IDentifiers and Verifiable Credentials as the key identity components currently being standardised by the World Wide Web Consortium (W3C). Most of today's research and implementations use SSI at the application layer of the TCP/IP stack. While this approach makes SSI easier to adopt, it limits the overall benefits of using SSI. Considering a generic authentication process, a client establishes a Transport Layer Security (TLS) channel and authenticates the server using the server's certificate. The server then authenticates the client, which sends its Verifiable Credential over TLS at the application layer. While this approach is suitable for Web scenarios, the use of certificates in large-scale Internet of Things (IoT) systems requires human intervention and entails high management costs. This drawback, widely recognised by industry players, led us to explore the use of Verifiable Credential (VC) in the TCP/IP layers below the application layer to avoid the use of certificates and take full advantage of SSI. This chapter provides an overview of the design choices we made for TLS and IKEv2 in IPSec, and finally our efforts to migrate the SSI to post-quantum cryptography.