I stumbled within the step “Adding a Device to the Group”
Next you will need to issue the KDM for the device. Right-click on the AT-CVREQ node under the group signer and select “Group Signer Operations”.
about the following signature formats for issuing a Key Domain Membership (KDM) for a device:
Static key domain membership (>=3.4)
Static key domain association (>=3.4)
Key domain membership (<3.4)
What is the difference between ‘Static key domain membership’ and ‘Static key domain association’? What implications does it have?
I want to use one HSM with group signer and XKEK key domain with a backup HSM (inkl. group signer and key domain) and several HSM key holder with m to n authentication to the XKEK key domain.
While a key domain membership issued by a group signer allows a device to join the key domain, a key domain association issued by a group signer allows to establish a XKEK with another key domain.
Key domain associations create a link between two key domains that allow migrating key material from one key domain into the other. Both group signer need to cross signed the other key domain for that purpose.
Normally the two EC key pairs generated to derive the XKEK must reside in the same key domain. A key domain association creates an exception to this rule, in that one EC key pair can be in the associated key domain. As a result, the same XKEK is established in two different key domains, allowing wrapping keys in the one key domain and unwrapping in the other.
