An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
keychain
#8475 02/19/10 03:51 PM
Joined: Aug 2009
Likes: 2
jaybass Offline OP
OP Offline

Joined: Aug 2009
Likes: 2
OS 10.5.8
I thought I would open keychain out of curiosity and I see there is a couple of items which says "This root certificate is not trusted" I looked at apple support and it said NOT to delete them.
They are: com.apple.kerberos.kdc & com.apple.systemdefault
I believe the first one has something to do with p2p which I
did use several weeks back (but not now)
I have never used keychain. Can someone please elaborate?
Should I ignore any future such notices?
jaybass


OS 13.6.4 iMac (Retina 5K, 27", 2017, 3.4 GHz Intel Core i5, 24 GB RAM, 2400 MHz DDR4. SuperDuper. 1 TB Lacie HD
Re: keychain
jaybass #8490 02/20/10 04:52 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Kerberos (developed at MIT) is used for single sign-on in large networks. Apple uses it both for Mac OS X server's Open Directory (probably not relevant to you) and for authentication on a local network (as well as remote access through Back To My Mac).

Those are normally locally signed (that is, not backed by VeriSign or one of the big places) and is to be expected for the kerberos cert. I'm not sure about the com.apple.systemdefault, though, but I'd suspect it is similarly a local creation, as VeriSign charges big bucks for each and every signed certificate.

The key idea is that these are public/private certificate pairs that will take longer than the age of the known universe to crack. The encryption is very strong and definitely present. What is missing is proof that the certificate is who it says it is, and only VeriSign (or equivalent) will make that assertion.

In other words, you are safe, and certainly should NOT mess around with them in keychain.

Re: keychain
David #8492 02/20/10 02:05 PM
Joined: Aug 2009
Likes: 2
jaybass Offline OP
OP Offline

Joined: Aug 2009
Likes: 2
Thank you David for your comprehensive reply. I must confess I am not familiar with the details but it does give me a little insight.
I will not "mess" around with keychain.
jaybass


OS 13.6.4 iMac (Retina 5K, 27", 2017, 3.4 GHz Intel Core i5, 24 GB RAM, 2400 MHz DDR4. SuperDuper. 1 TB Lacie HD
Re: keychain
jaybass #8496 02/20/10 06:32 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: jaybass
I will not "mess" around with keychain.

Just to make sure: there may be good reasons to 'mess' with (certain components of) Keychain, just not with these particular files.


alternaut moderator
Re: keychain
alternaut #8502 02/20/10 09:25 PM
Joined: Aug 2009
Likes: 2
jaybass Offline OP
OP Offline

Joined: Aug 2009
Likes: 2
That's quite a mouthful from pendragon.

I hope I never have to use keychain.

jaybass


OS 13.6.4 iMac (Retina 5K, 27", 2017, 3.4 GHz Intel Core i5, 24 GB RAM, 2400 MHz DDR4. SuperDuper. 1 TB Lacie HD
Re: keychain
jaybass #8506 02/20/10 10:14 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: jaybass
I hope I never have to use keychain.

Since its use is quite transparent it's quite possible, if not likely, that you're already using it... How's that for a mouthful? smirk tongue


alternaut moderator
Re: keychain
jaybass #8509 02/21/10 01:17 AM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
  • Do you ever save the userid and password for a web site in Safari?
  • In Mail have you stored the userid and password for your email accounts?
  • Do you ever visit any secured web pages (https) such as those used to pay for online purchases?

All of these are dependent on Keychain to store and manage the various userid/password combinations and/or security certificates. It would be very difficult, in fact, to use OS X without making use of Keychain, whether you are aware of it or not. Keychain is generally completely transparent to the user but essential to the user's computing experience.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: keychain
jaybass #8510 02/21/10 03:25 AM
Joined: Aug 2009
cyn Online
Administrator
Online
Administrator

Joined: Aug 2009
AFAIK, if you're using OS X you're using keychains.

From Apple's Mac OS X 10.5 Help About keychains:

Quote:
You start with a single keychain named “login” which is your default keychain, and is created automatically the first time you log in to your Mac OS X user account and has the same password as your account. This keychain is unlocked automatically when you log in to your account.

You might be interested in this thread in FTM's New User's forum: Keychain - Do I want to?


FineTunedMac Forums Admin
Re: keychain
cyn #8514 02/21/10 02:49 PM
Joined: Aug 2009
Likes: 2
jaybass Offline OP
OP Offline

Joined: Aug 2009
Likes: 2
That thread in FTM's New User's forum is very informative.
I have put it in my documents which I shall peruse later.
Thank you.
jaybass



OS 13.6.4 iMac (Retina 5K, 27", 2017, 3.4 GHz Intel Core i5, 24 GB RAM, 2400 MHz DDR4. SuperDuper. 1 TB Lacie HD
Re: keychain
joemikeb #8515 02/21/10 02:57 PM
Joined: Aug 2009
Likes: 2
jaybass Offline OP
OP Offline

Joined: Aug 2009
Likes: 2
I don't use safari but yes to the other 2 questions.

As in my response to Cyn, I will definitely delve into keychain.

Alternaut, Thanks for the mouthful.

jaybass


OS 13.6.4 iMac (Retina 5K, 27", 2017, 3.4 GHz Intel Core i5, 24 GB RAM, 2400 MHz DDR4. SuperDuper. 1 TB Lacie HD
Re: keychain
joemikeb #8528 02/22/10 12:03 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: joemikeb
It would be very difficult, in fact, to use OS X without making use of Keychain, whether you are aware of it or not. Keychain is generally completely transparent to the user but essential to the user's computing experience.


I'll have to disagree here. We see people almost once a week that have a locked keychain that won't unlock. This results from them using their restore disk to reset their password, usually because they can't run software updates because they forgot their password. (auto login is not a good idea imho, for this reason)

The boot disk resets their password, but does not delete nor disable their keychain, so it remains their default keychain, with their old (unknown) password, and does not unlock on login.

Each time they try to do something that can use data in the keychain (like browse to certain websites with forms to be autofilled) or check/send mail, the system sees the entry it needs in the keychain but cannot get the data out, and prompts for the keychain password. Users tend to be very tolerant of clicking cancel all the time before they finally bring it in for us to fix.

Besides the annoying constant popups asking for the keychain password, the user then has to input their email password when receiving (and sometimes when sending) mail, and none of their forms on the web pages autofill. (there are many other minor things that won't work also) So it's quite possible for a user to get by without access to their keychain, they do it all the time.

Irony of this typical mess is it's usually a call to Apple that results in their using their restore disks. Why on earth Apple doesn't tell them to trash their keychain when walking through this I don't know. Then again why the password reset app doesn't manage this for you is also a mystery. Apple going to signed updates to avoid users needing to type their admin password to install software updates seems like a move in the wrong direction.

Something just occurred to me - if the master password is set, and the master password is used to reset a user's password, I know it will fix the filevault key if the account is vaulted - but does it also fix the keychain?


I work for the Department of Redundancy Department
Re: keychain
Virtual1 #8533 02/22/10 05:31 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: Virtual1

Something just occurred to me - if the master password is set, and the master password is used to reset a user's password, I know it will fix the filevault key if the account is vaulted - but does it also fix the keychain?


Quite likely not.

The true file vault password is encrypted a second time and stored with the master password used to unlock it. The master password, then, is used to unlock the real password to the file vault -- the same way the user's normal password does -- and make the contents accessible.

The precise details are hazy in my mind on this, as it has been a while, however Apple used a layer of indirection (passwords to encrypt passwords) to make the master password work truly as a master, regardless of how many user accounts on a machine had a file vault home directory.

Last edited by David; 02/22/10 05:32 AM.
Re: keychain
David #8564 02/23/10 10:35 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
I know it's something like that, that a second copy of data is stored in the master keychain.

But the question then persists, what exactly is stored there? It could merely store the filevault's actual keychain, but it could also store the user's cleartext password?


I work for the Department of Redundancy Department

Moderated by  alternaut, dkmarsh, joemikeb 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.033s Queries: 40 (0.025s) Memory: 0.6368 MB (Peak: 0.7397 MB) Data Comp: Zlib Server Time: 2024-03-28 19:54:52 UTC
Valid HTML 5 and Valid CSS