Deleting DigiNotar’s Root Certificate on Mac OS X

Recently a number of fraudulent SSL certificates for high profile websites, including Google, were obtained from the Dutch Certificate Authority DigiNotar.
These certificates could be used to impersonate or intercept legitimate services.
One method for dealing with this situation is to mark DigiNotar’s root certificate as untrusted.
Unfortunately due to a bug in Mac OS X DigiNotar signed EV certificates will still appear to be valid.
To work around this one can delete the certificate from the system trust roots with the following command:

	security delete-certificate -Z \
	 	C060ED44CBD881BD0EF86C0BA287DDCF8167478C \
		/System/Library/Keychains/SystemRootCertificates.keychain

Kerberos over TCP on OS X 10.7 (Lion)

With the release of Mac OS X 10.7 (Lion) Apple has switched from MIT Kerberos to Heimdal Kerberos.

By default Heimdal will attempt to communicate with KDCs over UDP.
In some cases it is desirable to default to TCP.
Heimdal can be instructed to prefer TCP by prepending the KDC hostnames in /etc/krb5.conf with tcp/.
For example:

	[realms]
		EXAMPLE.COM = {
			kdc = tcp/kerberos-1.example.com:88
			kdc = tcp/kerberos-2.example.com:88
		}