On Wed, Jul 01, 2009 at 01:06:05PM -0500, Nicolas Williams wrote: | On Wed, Jul 01, 2009 at 12:32:40PM -0400, Perry E. Metzger wrote: | > I think he's pointing out a more general problem. | | Indeed. IIRC, the Mac keychain uses your login password as its passphrase | by default, which means that to keep your keychain unlocked requires | either keeping the password around (bad), keeping the keys in cleartext | around (worse?), or prompting for the password/passphrase every time | they are needed (unusable). | | This applies to ssh-agent, the GNOME keychain, etcetera. It also | applies to distributed authentication systems with password-based | options, like Kerberos.
As I understand things (and I'm no expert in MacOS internals) LoginWindow is a mandatory process, those others are optional and configurable. I keep keychain and 1password on short leashes, which may not matter at all from the perspective of a sneaky trojan which waits around and then grabs the data, but makes me feel better. Adam #include <stddisclaimer.h> --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com