Thank you for your inputs Quinn! I have another question for you -- while on macOS, I see there are constants for SecPolicyCreateWithProperties to check KU values for digital signature and non repudiation (specifically, kSecPolicyKU_DigitalSignature and kSecPolicyKU_NonRepudiation), these are not defined for iOS. I've combed through the open source Security implementation, but as I understand, the policies are just passed on to securityd. Does this mean I can't check for these particular KU values during evaluation (or more appropriately, check them manually)? BTW... I've gone through a lot of forum posts here, and it would seem you answer just about all of them! Really appreciate it!!

Any alternatives, then? :)