For a long time, I ignored the Apple Keychain (see earlier posts for more Keychain travails). I didn't want to keep my passwords anywhere accessible without my intervention. What finally made me give up was the fact that Safari prompted me for my Keychain passphrase on every single flipping page with a text entry field. Eventually I gave up, and started unlocking the keychain. It's very useful, but Apple (Safari) effectively forces many users to use the Keychain by making it so intrusive and unpleasant. Why isn't there a "don't bother me" option in that dialog?

Then when I started using SSHKeychain, the Apple Keychain became much more important to me, because it contained the passphrase for ssh private keys. I am an aggressive locker. When I leave the room, I lock the screen. I do this at home (and irritate Amy), and I do this when I leave the cube farm at work. As a result, I unlock the Mac frequently, with a longer-than-average password. It's a minor nuisance to type one password more than hourly, but if I had to unlock the screensaver, at least one Apple keychain, and one or more ssh private keys, I wouldn't be able to get any actual work done before I bought an Uzi.

With SSHKeychain, I discovered that Apple doesn't support locking Apple keychain(s) when the screensaver locks. Now I know that a major reason for this is that things break when the keychain is locked. In particular, .Mac sync throws all kinds of hissy when it doesn't have access to your .Mac password through a keychain (I've counted 5 different prompts for my Keychain password so different parts of .Mac sync can connect). That's obnoxious, and bad security.

Today's brokenness is related. If you don't have your .Mac password in an unlocked keychain, it's impossible to get a .Mac iChat certificate. Instead you get a bogus error pointing to the "Forgot password" page. I didn't forget my password, you robotic clown! I just won't give it to you for safekeeping (this is on a multi-user server I rarely use, and where I don't want or need saved passwords). I tried entering the password directly into iChat (faster than getting it into the Keychain at that point), but again iChat's Encryption Assisstant failed with a misleading error. As soon as I cached my .Mac password, the Encryption Assistant worked. Two bugs (not accepting manual password entry, and not using a password stored in iChat preferences) + a misleading error message + forcing the user to inferior security (cached password) in order to get a security feature (encrypted chat)!

How perverse is that? Don't answer, please. You'll set me off again.