Context:
CloudKit is a framework that lets app developers store key-value data, structured data, and assets (large data stored separately from the database, such as images or videos) in iCloud. CloudKit supports both public and private databases, grouped in containers. Public databases are globally shared, typically used for generic assets, and aren’t encrypted. Private databases store each user’s iCloud data
CloudKit uses a hierarchy of keys that matches the structure of the data. Each container’s private database is protected by a key hierarchy, rooted in an asymmetric key called a CloudKit Service key. These keys are unique to each iCloud user and generated on their trusted device. When data is written to CloudKit, all record keys are generated on the user’s trusted device and wrapped to the appropriate key hierarchy before any data is uploaded.
My question is: If Zone Keys can be securely shared using the HSM public keys for servers and iCloud Keychain for devices, why do Service Keys need to be asymmetric or exist at all?
