To describe the proposal for this project, first, we present the problem statement. Then, the details of the proposal are outlined, indicating the main and secondary objectives, the methodology, timeline and alignment with research programmes.

1.Problem Statement
As discussed in the previous section, the current state of the art for SSI in IoT shows us that, despite many use cases are considered for peer-to-peer transactions, most of them are designed for simple interactions that consist of one-to-one dialogs. In these scenarios, credentials are used to accredit personal information of individual users or objects. For this reason, we will term them as individual credentials.
When we consider more complex scenarios in which interdependency conditions appear, more flexible mechanisms for identity management transactions must be adopted. In particular, we assume that one-to-one transactions are not enough in these scenarios and we must consider group-to-one, one-to-group, or group-to-group transactions, i.e., transactions in which a group of participants need to join in order to be authenticated or authorized, or those in which a group is in charge of validating a credential. Here, many problems that are not solved in state-of-the-art solutions arise.
Following the SSI model, if a group of participants wants to be authenticated or authorized, it would require the use of a certain credential for the group. At first, we could think that group credentials are a simple extension of individual credentials to represent a group of participants. Yet, we must consider that, especially in IoT scenarios, these groups are formed dynamically, i.e., they are temporarily created for brief periods of time, under changing conditions and probably for different purposes. This implies that group credentials cannot be a simple extension of their individual counterpart, but they should be flexible enough to consider group formation dynamics. We can think on a group as a “collaboration” among different participants that temporally join their own capabilities (individual credentials) to create a new credential. We term this new type of credentials as collaborative credentials.

1. There are key differences between individual and collaborative credentials:
   As the generation of a collaborative credential involves all the participants in the group, there are several issuers of the credential, in contrast with a single issuer for individual credentials. This implies that new mechanisms for issuing collaborative credentials are needed. These mechanisms should define a negotiation method and a consensus protocol to establish the collaboration among participants.
2. A collaborative credential is only created under certain conditions met by all the participants. Thus, there is a need to define a framework to establish and share such conditions. In individual credentials, the decision of sharing the credential is up to the owner of the credential.
3. Due to the changing conditions in IoT scenarios where collaborative credentials are expected to be used, issuers (participants) might have the option to monitor if the collaboration conditions are kept during the lifetime of the credential, in order to decide about its revocation. In individual credentials, issuers are not continuously monitoring their use to decide if the credentials should be revoked or not.

As we are considering the application of these collaborative credentials in IoT scenarios, one cannot forget the rest of problems inherent to IoT: lack of resources of IoT devices, the need of non-interactive protocols for exchanging information, security risks associated to interdependency, mobility, scalability, etc. All of them represent a set of challenges in the design of such a type of credentials. Despite these technical challenges, it is also important consider the problem from a legal point of view. A main requirement is that collaborative credentials are in conformance with legal and normative frameworks, such as GDPR, eIDAS, ISO 29001:2011 privacy framework, or the recently published ETSI EN 303 645 cybersecurity standard for IoT. For this reason, when a collaboration is established within a group, there is a need for a negotiation protocol that consider legal and normative aspects and decide about the conformance level of a possible collaborative credential. This is especially relevant in IoT scenarios, where the participants (and thus also the issuers) could be either people or objects. The main reason is that the liability of people differs from that applicable to objects, and the same applies for rights and obligations. For this reason, there is a need to establish a technical solution that integrates the legal frameworks and consider these aspects.

2. Main Hypothesis
In summary, the main hypothesis of this project is that it is possible to define feasible procedures, protocols, algorithms and mechanisms for the implementation of collaborative credentials following the SSI model in IoT scenarios. These credentials have the following features:

• They allow proving the capability of a group of participants, which jointly participate in an authentication or authorization procedure.
• They are automatically generated by a negotiation protocol among the participants.
• This negotiation protocol considers not only technical issues but also legal aspects.
• The agreement to create credentials can be monitored, and there exist a real time protocol to revoke the credentials in case of the agreement rejection.

Now we specify in more detail some of the open research challenges that will be considered in this project proposal:

- On the context definition for collaborative credentials:

1) Defining use cases for collaborative credentials.

2) How to identify the set of specific requirements in the considered scenario (collaborative credentials), considering both technical and legal requirements, with a special emphasis in security and privacy. Developing a taxonomy for these requirements.

3) Defining a syntax and a semantic for identified technical and legal requirements, in compliance with current standards (W3C).

4) Establishing an adversary model for collaborative credentials, with potential attacks and threats.

- On the negotiation process to issue collaborative credentials.

1) Finding incentive mechanisms for collaboration among participants.

2) Creating protocols for the negotiation of the collaboration agreement. These protocols should be able to: i) choose a representative participant to become the holder of the collaborative credential; ii) decide which participants are eligible for the collaboration; iii) define strategies to reach a consensus among participants; iv) be secure and resilient to collusion attacks; v) provide privacy capabilities.

- On the lifetime of collaborative credentials.

1) Investigating revocation protocols for the identification of accurate candidates for revocation in collaborative credentials.

2) Finding automatic expiring mechanisms for collaborative credentials and their impact in the different use cases.

3) Specifying a protocol that allows the renegotiation and renewal of the initial agreement, according to changes in the context or expiration of the initially created collaborative credential.

- On the implementation of collaborative credentials.

1) Finding possible limitations in the implementation of collaborative credentials in IoT ecosystems where devices are resource-constrained. Evaluating the performance of solutions.

2) Determining the feasibility of the definition of collaborative credentials in current Blockchains.