I'm just pointing out the advice which is constantly and consistently given by Apple (particularly Quinn) on the developer forum that getting the bits of a private key on iOS is unsupported and subject to change, and to do the job on a server which you trust and return the information. Here's one such thread, there are dozens of them.
https://devforums.apple.com/message/951417#951417 My bug report requesting a CSR generating api point on iOS which leaves the private key in the keychain such that it can be validated against, even if you can't read it, is still open. On 14 May, 2014, at 10:32 pm, Jens Alfke <j...@mooseyard.com> wrote: > > On May 14, 2014, at 7:15 AM, Roland King <r...@rols.org> wrote: > >> If you ask a similar question to the original poster on any of the Apple >> Developer Forums you'll be advised not to generate key pairs on a device but >> to do it on a server (the advice will probably come from Quinn) > > That’s a weird idea. If the server creates the key-pair, then the server > knows your private key, which I would consider a major security breach. If > you’re going to trust the server with your credentials, you might as well > skip the fiddly encryption stuff altogether and save yourself a lot of work. > Otherwise the public keys and certs are just mumbo-jumbo to give the > appearance of security. > > Put another way: one of the major purposes of public-key crypto is to put you > in charge of your own encryption. You generate a key-pair locally on your > device/computer, and the private key is known only to you and never leaves > that device (except maybe inside a passcode-protected PKCS12 file.) I think > of private keys as being like nuclear fuel rods — you keep them in a heavily > shielded container (the Keychain) and never let them be exposed to daylight. > If you do that, you have a very secure system. > > —Jens _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
