OS 10.5.8
I thought I would open keychain out of curiosity and I see there is a couple of items which says "This root certificate is not trusted" I looked at apple support and it said NOT to delete them.
They are: com.apple.kerberos.kdc & com.apple.systemdefault
I believe the first one has something to do with p2p which I
did use several weeks back (but not now)
I have never used keychain. Can someone please elaborate?
Should I ignore any future such notices?
jaybass

Kerberos (developed at MIT) is used for single sign-on in large networks. Apple uses it both for Mac OS X server's Open Directory (probably not relevant to you) and for authentication on a local network (as well as remote access through Back To My Mac).

Those are normally locally signed (that is, not backed by VeriSign or one of the big places) and is to be expected for the kerberos cert. I'm not sure about the com.apple.systemdefault, though, but I'd suspect it is similarly a local creation, as VeriSign charges big bucks for each and every signed certificate.

The key idea is that these are public/private certificate pairs that will take longer than the age of the known universe to crack. The encryption is very strong and definitely present. What is missing is proof that the certificate is who it says it is, and only VeriSign (or equivalent) will make that assertion.

In other words, you are safe, and certainly should NOT mess around with them in keychain.

Thank you David for your comprehensive reply. I must confess I am not familiar with the details but it does give me a little insight.
I will not "mess" around with keychain.
jaybass

Just to make sure: there may be good reasons to 'mess' with (certain components of) Keychain, just not with these particular files.

That's quite a mouthful from pendragon.

I hope I never have to use keychain.

jaybass

Since its use is quite transparent it's quite possible, if not likely, that you're already using it... How's that for a mouthful?

• Do you ever save the userid and password for a web site in Safari?
• In Mail have you stored the userid and password for your email accounts?
• Do you ever visit any secured web pages (https) such as those used to pay for online purchases?

All of these are dependent on Keychain to store and manage the various userid/password combinations and/or security certificates. It would be very difficult, in fact, to use OS X without making use of Keychain, whether you are aware of it or not. Keychain is generally completely transparent to the user but essential to the user's computing experience.

AFAIK, if you're using OS X you're using keychains.

From Apple's Mac OS X 10.5 Help About keychains:


You might be interested in this thread in FTM's New User's forum: Keychain - Do I want to?

That thread in FTM's New User's forum is very informative.
I have put it in my documents which I shall peruse later.
Thank you.
jaybass

I don't use safari but yes to the other 2 questions.

As in my response to Cyn, I will definitely delve into keychain.

Alternaut, Thanks for the mouthful.

jaybass

I'll have to disagree here. We see people almost once a week that have a locked keychain that won't unlock. This results from them using their restore disk to reset their password, usually because they can't run software updates because they forgot their password. (auto login is not a good idea imho, for this reason)

The boot disk resets their password, but does not delete nor disable their keychain, so it remains their default keychain, with their old (unknown) password, and does not unlock on login.

Each time they try to do something that can use data in the keychain (like browse to certain websites with forms to be autofilled) or check/send mail, the system sees the entry it needs in the keychain but cannot get the data out, and prompts for the keychain password. Users tend to be very tolerant of clicking cancel all the time before they finally bring it in for us to fix.

Besides the annoying constant popups asking for the keychain password, the user then has to input their email password when receiving (and sometimes when sending) mail, and none of their forms on the web pages autofill. (there are many other minor things that won't work also) So it's quite possible for a user to get by without access to their keychain, they do it all the time.

Irony of this typical mess is it's usually a call to Apple that results in their using their restore disks. Why on earth Apple doesn't tell them to trash their keychain when walking through this I don't know. Then again why the password reset app doesn't manage this for you is also a mystery. Apple going to signed updates to avoid users needing to type their admin password to install software updates seems like a move in the wrong direction.

Something just occurred to me - if the master password is set, and the master password is used to reset a user's password, I know it will fix the filevault key if the account is vaulted - but does it also fix the keychain?

Quite likely not.

The true file vault password is encrypted a second time and stored with the master password used to unlock it. The master password, then, is used to unlock the real password to the file vault -- the same way the user's normal password does -- and make the contents accessible.

The precise details are hazy in my mind on this, as it has been a while, however Apple used a layer of indirection (passwords to encrypt passwords) to make the master password work truly as a master, regardless of how many user accounts on a machine had a file vault home directory.

I know it's something like that, that a second copy of data is stored in the master keychain.

But the question then persists, what exactly is stored there? It could merely store the filevault's actual keychain, but it could also store the user's cleartext password?