Enabling Decentralised Identifiers and Verifiable Credentials for Constrained IoT Devices using OAuth-based Delegation

Decentralised identifiers (DIDs) and verifiable credentials (VCs) are upcoming standards for self-sovereign privacypreserving identifiers and authorisation, respectively. This focus on privacy can help improve many services and open up new business models, but using DIDs and VCs directly on constrained IoT devices can be problematic due to the management and resource overhead. This paper presents an OAuth-based method to delegate the processing and access policy management to the Authorisation Server thus allowing also systems with constrained IoT devices to benefit from DIDs and VCs.

[1]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[2]  Hannes Tschofenig,et al.  Internet Engineering Task Force (ietf) Using Raw Public Keys in Transport Layer Security (tls) and Datagram Transport Layer Security (dtls) , 2022 .

[3]  Eric Rescorla,et al.  Encrypted Server Name Indication for TLS 1.3 , 2000 .

[4]  Mehdi Mani,et al.  Use Cases for Authentication and Authorization in Constrained Environments , 2016, RFC.

[5]  Pankaj Rohatgi,et al.  Can Pseudonymity Really Guarantee Privacy? , 2000, USENIX Security Symposium.

[6]  Domenico Rotondi,et al.  A capability-based security approach to manage access control in the Internet of Things , 2013, Math. Comput. Model..

[7]  Nikos Fotiou,et al.  Improving the Privacy of IoT with Decentralised Identifiers (DIDs) , 2019, J. Comput. Networks Commun..

[8]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[9]  Hannes Tschofenig,et al.  Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth) , 2020, RFC.

[10]  Jim Groom,et al.  The Path to Self-Sovereign Identity , 2017 .

[11]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[12]  Konstantinos Vandikas,et al.  Performance Evaluation of OpenID Connect for an IoT Information Marketplace , 2015, 2015 IEEE 81st Vehicular Technology Conference (VTC Spring).

[13]  Michael B. Jones,et al.  JSON Web Token (JWT) , 2015, RFC.

[14]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[15]  Ludwig Seitz,et al.  Authorization framework for the Internet-of-Things , 2013, 2013 IEEE 14th International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM).

[16]  Cédric Fournet,et al.  Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.