should be chosen. Implementers are not limited to using if-else statements.
If the MIDlet is trying to access a method protected by the Domain Mechanism, and
access to it is denied, the implementation throws
/0.
.
If the MIDlet is trying to access a method protected by the Static Mechanism, and
access to it is denied, the implementation throws
/0.
.
Evaluating Individual Access Control Entry
When evaluating ACE, the MIDlet is granted permission to open an APDU connection
with an application in the SE if the ACE principal identifies a domain category
(CHOICE domain is used with the OID indicating 'operator', 'manufacturer', or
'trusted third party') and the MIDlet belongs to the same domain.
When evaluating ACE, the MIDlet is granted permission to open an APDU connection
with an application in the SE if the ACE principal identifies the domain root (CHOICE
rootID is used) and the corresponding PrincipalID matches with the hash of the root
certificate in the path used to sign the MIDlet.
When evaluating ACE, the MIDlet is granted permission to open an APDU connection
with an application in the SE if the ACE principal identifies an end-entity ( CHOICE
endEntityID is used) and the corresponding PrincipalID matches with the end-entity
certificate used to sign the MIDlet.
When evaluating ACE, the MIDlet is granted permission to send an APDU to an ap-
plication in the SE if the APDU being sent by the MIDlet is specified by at least one
ACE.
When evaluating ACE, the MIDlet is granted permission to send an APDU to an ap-
plication in the SE if the APDU being sent by the MIDlet is not one of those used for
application selection and channel management.
A MIDlet operation is considered to be specified by an ACE if the following condition
is satisfied: APDU(MIDlet) AND mask(ACE) = APDU(ACE),
12.3.4 Security Requirements
Java ME Developer Guide
Chapter 12 - JSR-177 Java ME Security and Trust Services API
[98/201]
DRAFT - Subject to Change