User Profile

Regarding the beta feature of storing WebAuthn passkeys in the iCloud Keychain, does anybody know if the unencrypted passkeys ever leave the secure enclave, getting stored in RAM or anything? With traditional WebAuthn on a Yubikey or similar device, my understanding is that the private key never leaves the Yubikey, that the requester just inputs the ID of the passkey they'd like to use and supplies a challenge to sign to the Yubikey, and the Yubikey spits out the signed challenge. That way, even if an attacker has root access to your machine, they still can't get that passkey. I'm hoping it works a similar way for iCloud Keychain passkeys: that the encrypted passkey and the challenge are fed to the secure enclave, which then decrypts the encrypted passkey, and then uses it to sign the challenge and then spits out the result, all with the unencrypted passkey never leaving the secure enclave. But I can't find anything definitively stating this. Anyone know for sure / have sources to back it up?

The Configuring Safari Push Notifications guide explicitly states Important: After February 14, 2016, you will need to sign the push package with both the web push certificate and the intermediate certificate. The updated create_signature function in the attached createPushPackage.php companion file processes both certificates. However, the latest version of the createPushPackage.php companion file no longer lets you specifiy the intermediate cert, and does not seem to use one in it's create_signature function. So is signing with an intermediate cert still required, or not? And can the documentation be updated to remove the uncertainty?