...
Such Device Keys may be created using a Key Derivation Key (KDK) which is common to an application providers (usually a sales channels) all devices. This KDK can then be shared among the participants which should be able to validate the device signature protection. The KDK is a symmetric key which need so needs to be held confidential to any adversaries. For this reason it is not exchanged through the Metadata, but rather provided bilaterally using the Device API endpoint, and then only to authorised entities.
...