[OpenAFS-devel] aklog on MacOS X was Re: Service Ticket Questions

[Ernest Prabhakar]

Hi lxs,

On Mar 21, 2006, at 7:01 AM, Alexandra Ellwood wrote:
> Apple has such a tool.  It's called Keychain Access.  It stores  
> certs, passwords, identity preferences... basically anything living  
> in your keychain.  I can't speak for Apple (I'm not even an Apple  
> employee) but I'd place good money on this being where Apple would  
> display Kerberos and AFS credentials if they were doing the support  
> themselves.
>
> That being said I've never placed high priority on Kerberos support  
> in Keychain Access because Mac users don't seem to want it.  Mac  
> users want Kerberos to work without any interaction with any  
> tools.  They want to be prompted for tickets when they need new  
> ones (or have them automatically acquired in the pkinit case).

Um, I'm having trouble following this argument, but I want to make  
sure I understand your issue. I completely understand that AFS users  
don't want to run a GUI application.  But, I'm confused with how that  
impacts the issue of using "Keychain Services" as the underlying API  
and storage mechanism for managing AFS tickets:

http://developer.apple.com/documentation/Security/Conceptual/ 
Security_Overview/Security_Services/chapter_4_section_6.html

Presumably, it would be straightforward for AFS and Kerberos to use  
Keychain Services and provide their own CLI interface, no?  Or are  
you concerned about something completely different?

-- Ernie P.