Why does Cryptokit distinguish between private EC keys used for signing and key agreement? I noticed you can transform those keys into each other but for what purpose are they different? After all its an BigInt in both cases.

I've created a p256 ec key in the SE, stored it in the keychain, and have a X.509 certificate for that key, now I want to create and store a SecIdentity item in the keychain on iOS. SecIdentityCreateWithCertificate is available on macOS only., so that is not an option. How am I supposed to create a SecIdentity without having that call available?

I am building a NEPacketTunnelProvider, and in its configuration I set a SecIdentity persistent reference. That reference is passed to the tunnel provider but when I try to use it there, I get an errSecInteractionNotAllowed error. The private key for that identity is protected by .userPresence. If I remove the protection, the network extension can access the identity and the private key. Is there any way that a VPN network extension can use a keychain item protected by .userPresence?