A protection domain is a set of permissions and interaction modes. Those permissions can be either automatically granted or deferred until user approval. There are four different interaction modes for permissions: Blanket, Session, Oneshot, and No (see section User granted permissions). When a MIDlet suite is installed, it is assigned to a given protection domain and acquires its permissions and interaction modes.
Each protection domain, except for the untrusted domain, is associated to a set of root certificates. When signing a MIDlet suite, it is necessary to use a public key certificate that can be validated to one of those root certificates. This association will be used to assign the MIDlet suite to a given protection domain. The relationship between root certificates and protection domain is that a domain can be associated to many root certificates, whereas a root certificate is associated to only one domain.
The MIDP 2.0 specification recommends four protection domains for GSM/UTMS devices:
Manufacturer
The manufacturer domain uses root certificates belonging to the device producer.
Operator
The operator domain is used for the network operator MIDlets and may use root certificates available on storages such as SIM cards.
Trusted third party
The trusted third party domain will encompass well-known Certificate Authorities' (CA) root certificates.
Untrusted
The mandatory untrusted domain has not an associated root certificate and is used for unsigned and MIDP 1.0 MIDlet suites.
Java Code signing certificates which have been acquired from well-known Certificate Authorities (CAs) and are included in the target devices, can be used to sign MIDlets. Alternatively, diverse developer programs, for example, from operators or other software publishers, offer signing services when an application is submitted to them (see for example Java VerifiedTM Program Web page).
Since the amount of domains and their associated permissions may deviate from the recommendations of the MIDP 2.0 addendum in some networks, you should seek information from the network operator your MIDlet suite is targeting to. Additionally, it may be worthwhile checking the set of root certificates available on a given device for Java authentication.