---

Glossary

• access control list (ACL)  

  A structure containing information describing what must happen (display a confirmation dialog, ask for a password, and so forth) in order to permit a specific operation to occur. An ACL may also contain a list of applications that are always trusted to perform that operation. Each keychain item has one or more associated ACLs, and each ACL applies to a single operation that can be done with that item, such as encrypting or decrypting it. See also access object.



• access object  

  An opaque data structure containing one or more access control lists. Each keychain item has one access object.



• ACL  

  See access control list (ACL).



• application programming interface (API)  

  The set of routines, data structures, constants, and other programming elements that allow developers to use some part of the system software.



• attribute  

  One data item, such as the name, type, date modified, account number, and so on, for a keychain item, other than the secret. The attributes associated with a keychain item depend on the class of the item.



• authentication  

  The act of verifying identity with something the user provides. For example, a user can provide information such as a name and password, a physical item such as a smart card, or a physical feature such as a fingerprint or retinal scan.



• authorization tag  

  A data field in an access control list (ACL) that specifies an operation that can be done with that keychain item, such as decrypting or authenticating



• certificate  

  See digital certificate.



• CDSA (Common Data Security Architecture)  

  An open software standard for a security infrastructure that provides a wide array of security services, including fine-grained access permissions, authentication of users, encryption, and secure data storage. CDSA has a standard application programming interface, called CSSM. In addition, Mac OS X includes its own security APIs that call the CDSA API for you.



• CSSM (Common Security Services Manager)  

  A public application programming interface for CDSA. CSSM also defines an interface for plug-ins that implement security services for a particular operating system and hardware environment.



• default keychain  

  The keychain accessed by certain Keychain Services functions when no other keychain is specified in the function call. For example, newly-created keychain items are stored in the default keychain unless a different keychain is specified in the function call. A default keychain is created for each new login account, but the user can use the Keychain Access utility to designate another keychain as the default.



• default keychain search list  

  The list of keychains searched by certain Keychain Services functions when no other keychain or list of keychains is specified in the function call. The default keychain search list contains the same keychains as the keychain list displayed in the Keychain Access utility.



• digital certificate  

  Digitally signed data that can be used as a component of digital authentication systems. Because certificates might be referred to more than once, Keychain Services allows applications to store them in a keychain.



• encrypt  

  To secure data so that it cannot be read by unauthorized entities, in such a way that its original state can be restored later (decrypted). In most cryptographic systems, encryption and decryption are performed by manipulating the data with a string of bytes called a key.



• generic password  

  A password other than an Internet password.



• Internet password  

  A password for an Internet server, such as a Web or FTP server. Internet password items on the keychain include attributes such as the security domain and IP address.



• key  

  A string of bytes used by an encryption algorithm to encrypt or decrypt data.



• keychain  

  A container that holds encrypted secrets for multiple applications and secure services. See also keychain item.



• Keychain Access  

  A utility that allows users to create, delete, and modify keychains and keychain items.



• keychain item  

  A secret that is encrypted and protected by the keychain, plus its associated attributes and access object. Each keychain item has a class that determines what attributes it has; for example Internet password items include an IP address attribute. The password or other secret stored as a keychain item is encrypted and is inaccessible when the keychain is locked. When the keychain is unlocked, the secret can be read by the trusted applications listed in the item’s access object and by the user (with the Keychain Access utility). The attributes are not currently encrypted.



• Keychain Manager  

  A legacy API used to create, delete, and modify keychains and keychain items prior to Mac OS X v10.2. Keychain Services is preferred for use with Mac OS X v10.2 and later.



• Keychain Services  

  The API used to create, delete, and modify keychains and keychain items starting with Mac OS X v10.2.



• locked  

  A keychain state in which no key is available in memory to decrypt the passwords and other secrets protected by the keychain. When an application attempts to retrieve a secret from a locked keychain, the user is prompted for a password. The login keychain is unlocked automatically at login if its password matches that of the user’s login account.

  There is no way to extract secrets from a locked keychain without providing the keychain’s password. All of a users keychains lock automatically when the user logs out.



• login keychain  

  A keychain automatically created for a new login account. The login keychain is automatically unlocked at login if its password matches that of the user’s login account. For Mac OS X v10.2, the login keychain had the same name as the login account. For Mac OS X v10.3, the login keychain is named login.keychain. Mac OS X v10.3 also recognizes login keychains created under Mac OS X v10.2.



• password  

  Data, usually a character string, used to authenticate a user for a service or application.



• secret  

  The encrypted data in a keychain item, such as a password. Only a trusted application can read the secret of a keychain item. Compare with attribute.



• secure storage  

  Encrypted storage of data that requires a user or process to authenticate itself before the data is decrypted.



• system keychain  

  A keychain that belongs to the system as a whole, rather than to a particular user. System keychains are usually used by system daemons and services, but can also be accessed by applications on behalf of users. One system keychain, named System.keychain, is created by the system and added by default to every user’s keychain list.



• transparent authentication  

  Authentication without intervention by the user. After unlocking the keychain, the user does not have to log in separately to any services whose passwords are stored in the keychain.



• trusted application  

  An application that can read a keychain item’s secret when the keychain is unlocked. See also access control list (ACL).



• unlocked  

  A state in which the keychain has a key in memory that can be used to encrypt or decrypt items in that particular keychain. A keychain is considered unlocked after its password has been entered (by the user or programmatically). An unlocked keychain can provide access to its secrets, subject to ACL checks, until it is locked again.



• user ID  

  Data, usually a character string, used to identify a user for a service or application.

---