JSR-177 recommends Security Element Access Control (Appendix A) and mentions a Domain Mechanism, through certificates, and Static access control, through Access Control Files. However, it does not mention the specifics on configuring these. For instance, it suggests that the SE 'defines a private domain by providing the domain root object' and 'is able to publish its access control requirements in an Access Control File'

Does this mean that access control implementation is SE dependent? If so, are there examples available? Is this recommendation commonly followed? Any pointers are appreciated.