Security domains are
defined by Global Platform. It is not an ISO 7816 feature. Fundamentally
an SD is just a Java Card(TM) Applet with a
bunch of keys in it.
The Card Management Applet can create one, and you will need the secret
card management keys to do so. The card management keys are 'known' to
the card issuer.
To create an additional security domain you need the active support from
the issuer. They can use their keys to create the Security Domain and
initialise it with your secret domain management keys.
Without that support It won't be possible to create an SD.
In my opinion the whole SD concept is rather cumbersome, it was hastily
conceived in the context of VISA Open Platform, the precourspr to Open
Platform, without full appreciation of the Java card security concept:
peer-to-peer security with strict separation between applets by a
firewall, without the need for a super-user. Commercial need to release
Java Card 2.0 in time prevented a timely correction of this
misconception. The rest is history.
Eduard de Jong
I was there at the time of the creation of the Java Card 2.0 specs.
Pu Yongming wrote: