You do not need a private key to revoke a certificate. You need the certificate serial number.
The issuer should NEVER set eyes on a private key which isn't theirs. If you want to make life easier for your customer, do it client-side with JavaScript and throw a PFX at them once the issuance has completed.
It still stuns me how many in tech, even CAs, have such a poor understanding of how PKI works.
In the UK in the early/mid 80's we had the BBC Micro which shared the market with the like of the C64 and Spectrum. Pretty standard kit; 6502 CPU with 32k RAM (later 128k on the BBC Master). BASIC was where I started, but it didn't take long to get into writing assembler - somewhat necessary in order to do anything cool like *ahem* copying games which relied on raw sector reads of deleted data on 5.25" floppies as copy protection. Our local radio station even had a computer show on a Wednesday evening where they would play programs out over the air for people to record on their handy tape deck.
When I started high school they had a whole Econet network built around BBC machines with an SJ Research file server. That sparked a whole new interest and, under the premise of writing a multi-user network game, I managed to persuade SJ to send me a load of very useful documentation. A matter of weeks later I was blowing my own PROMs at home and discreetly slotting them into the BBCs in one of the music classrooms. The docs from SJ were what today's coders would describe as "undocumented APIs", but you would essentially just load up the registers and JSR to a particular address to unleash teenage stupidity with gusto.
Instead of trying to steer me toward applying my skills in a more constructive manner, my school decided to ban me from using any computer in the school for a year. Being somewhat "on the spectrum" I went a little off-piste at that point and headed off down the road of rock n roll, girls and weed for a few years; until it became necessary to actually earn a living.
When I came back to computing things had changed a lot and the PC was taking over; it was late 486 and very early Pentium dominating the market which I found fairly easy to slip into. I became relatively capable with a lot of the common languages of the time and whilst I'm decent with x86 it's only on a handful of occasions I've ever needed to write it in the raw.
I don't work as a coder, but that early experience has been enormously valuable in terms of understanding how things actually work under the hood, being able to turn my hand to most common languages when the need arises, and in terms of the problem solving mentality I learned back in the 80's.
I'm guessing you live in the US? If so, erhaps you should petition your local person of power (senator? congressman? whatever) to address the pitiful consumer laws in your country. In Europe such things are legally bound, in terms of products being fit for purpose for their intended lifetime. In the UK this is implemented in (amongst other things) the Sale of Goods Act which gives you significant ammunition in terms of demanding it be fixed for a period of (I believe) up to 5 years.
Genuinely not trying to be a smart ass; you could be in Europe and be unaware of such laws - hopefully you are. Companies, as a matter of course, will conveniently forget to mention these rights until you beat them around the head with them. But then, that's business - deny deny deny, until you're banged to rights.
If the employee has never been cause for concern there's no need to be a dick about it, but this is basic risk management. Pat the guy on the back, knock off early and buy everyone a round of beers. But you have to lock him out. Pay him his notice and let him go.
Certificate Authorities who operate on the scale absolutely do NOT keep private keys of the issuing intermediate available for harvest. That's what HSMs are for; devices which hold the private key material and perform signing operations on behalf of the CA. The CA can never retrieve the private key(s) so compromising the CA in that scenario should never result in private key disclosure.
The main issue is that Oyster does do some level of cleverness. I only ever skimmed the paper so don't recall the details. The main issue in most use cases is that the spec says the token UID should be read-only. When you can buy tokens from China which completely disregard this and let you write sector 0 it's game over immediately for huge swathes of RFID installations which rely on UID alone.
My work ID does door access, printing, loads of stuff. Spoof the UID onto a blank token, remove the chip/antenna, place inside rear cover of watch. Super convenient, but alarmingly easy.
And you know that "tap and go" stuff your credit card has, distinct to the chip & pin functionality, for low-value purchases like a Double Whopper with cheese? Don't even get me started on that...
Honestly, what the actual fuck? Have you listened to yourself?
I don't actually use public transport. I just do some NFC work for the day job and know how weak the keys are in old MiFare stuff. No wonder you posted AC with that outburst of verbal diarrhoea.
Well thanks Anonymous Coward (latin: buffoonus maximus), but that's a bit of a tenuous jump. I don't even use public transport, I'm just a guy who does a bit of NFC engineering for the day job and knows the difference between the wrong way to do it and the way I do it. The token security is weak, certainly, but it's easy to protect against with some very low-overhead crypto.
Old MiFare stuff is toast, security wise. Any old fool can order some UID-writable tokens on eBay from China, grab a copy of libnfc and mfoc, then things get interesting pretty quickly.
Well someone got out the pedantic side of the bed this morning. And no, it's an allocation of my ISP's/16. If I'd got the range from RIPE I wouldn't need PTR delegation would I?
I don't actually need the whole block any more, it was something I was doing for a PhD project a few years back. A/27 would do me these days, but they don't seem in a hurry to have them back.
Very well put. Getting a large ISP whose staff "follow the flowchart" to provide such things is not as easy as some make out. I have a number of non-catalogue products including bonded FTTC which has saved me a fortune on what I used to pay for dedicated hosting (I don't need 5 9's uptime). Instead of a call centre grunt giving a standard "We don't provide that service" response, I get a technically literate person on the end of the phone who understands what I'm asking for and says "Let me have a word, see what we can do". You pay for that kind of service, but for me it's worth it.
Personally I'm not a big user of these kind of services, but it's only a handful of the "big" ISPs who are doing the blocking. I prefer a more personal service so I use a small ISP which offers special geeky extras (full class C, reverse NS delegation etc) and they perform no such blocking. But even if I didn't it's trivial to bypass such blunt instruments.
The proper way to do it is to have a 100% offline CA with its key material split over a number of smart cards so the CA can only be brought up periodically for signing purposes when a certain number of cards are present (say 3 of 5) and even then you use an HSM which performs all activities hence the private key is never accessible even if you wanted it to be. You store the cards in fireproof safes in geographically dispersed secure physical locations, cardholders travel by different modes of transport, at different times of day, stay at different hotels etc. For day-to-day certificate issuance and signing you have a subordinate CA sat in a networked HSM. That way there can only ever be a minuscule (I'd never use the word impossible) risk that the root CA can be compromised and you maintain the ability to revoke the day-to-day CA.
90% of a good PKI is process and governance, not the technology itself.
I suspect what's going on here is that the NSA has the ability to cut certs for things like *.google.com, *.facebook.com etc from a trusted commercial CA whose root is already installed in everybody's browser, hence they can man-in-the-middle the traffic without raising alarm. A few sneaky BGP advertisements and this would be surprisingly easy to do.
It's pretty shocking to read most of the comments on here and realise that very few people actually know how PKI works even at the most basic level.
I decided, having had a couple of stiff ones (drinks) this evening, to drop them a line via the website in an attempt to contribute a tiny amount of sanity and/or education.
Unfortunately I was told my email could not contain anything other then [0-9|a-z] IN THE BODY and due to my use of punctuation I was not allowed to email them. I was going to "correct" my correspondence, but the I thought "fuck it, I've got work tomorrow", and I have a glass of wine and 2/3 of a frankly very good cigar to do in.
I figured it probably would. I used to love working with Novell products and used to proudly have all my CNE/CNI certs framed in the office but left that organisation (education) before I had chance to get involved in transitioning from Netware to OES2 on SuSE. Now sat up in management towers wishing I could still be getting my hands dirty. Such is life.
I realise Novell aren't exactly a powerhouse any more, but does anyone else remember about 5 years ago when they released Domain Services for Windows? That was basically Samba 4, but using eDirectory and NSS (that's a proper man's filesystem, for you young kids) as the back end. I only played with it briefly whilst at my last employer, but damn did it rock... All the NSS clustering and good bits of Novell tech were totally transparent. The only time you knew you were talking to a Linux box was if you opened up a DC in MMC and looked at its properties, where it said something along the lines of "SuSE Linux Open Enterprise Server".
Fairly obvious that Jeremy A was largely responsible for DSfW, just a shame that stuff was most likely locked up as Novell IP and off limits to Samba 4.
Amen to that. I smoke 4 or 5 per day, yet I don't smell of smoke and I run 10k several times a week. This policy is so ignorant and persecutory it reminds me of Hitler's attack on smokers in the 1930s. Perhaps his dream has finally become a reality... in the USA.
I smoke very well prepared and frankly rather expensive rolling tobacco. It is a very pleasant experience which I usually combine with several large glasses of quality red wine to relax and spend time with my wife away from writing code and dealing with a severely pressurised job. Having worked in the US I turned down a green card around 2 years ago because, well, it's a very oppressive place to be right now. The phrase "land of the free" has become laughable. Most Americans bend over and take it because it's happened bit-by-bit and they have gradually adjusted, but just like Windows malware protection if the whole shebang hit you all at once there would be uproar.
In all honesty the UK is probably only 5 years behind, which is why I have just accepted a job in a far more tolerant western nation. Goodbye and good riddance is my current frame of mind.
Pedantic I know, but look at what you wrote and what the diagrams show you. You wrote Britain, which is short for Great Britain; not British Isles or British Islands. Great Britain does not contain the whole of the UK. The UK however does contain the whole of Great Britain.
Try aviation GPS, that's a whole new level of comfortable. Instead of correlating the information presented to you by a bunch of different gauges tuned to 60yr old radio beacons you just follow the pink line. Need to land at an airport in thick fog? No problem; switch on approach mode and simply fly through the boxes displayed on the screen, or enable synthetic vision mode and you essentially get a video-game recreation of the terrain, runway, everything.. just not the fog.
Another poster was right, GPS is just a bunch of clocks sending out pulses whose transit times you compare to establish location, but the quality of applications designed around it is simply stunning. One of the best inventions of the 20th century in my opinion.
Not the case for CSC though. They're on pay-per-deployment. When trying to deploy a single-instance system shared between many organisations with minimal tiered config scope creep is bad. Very bad.
It's a shame these big contracts are being allowed to tarnish all the achievements which have been made. Digital x-rays, scans etc enjoy 100% coverage across the UK; consultants can get a second opinion from someone 100 miles away in minutes, instead of sending x-rays in the back of a taxi to another city.
Electronic referrals from GPs (family doctors) for hospital treatment are in the tens of thousands per day and GP2GP record transfers for people changing doctors are becoming widespread. All NHS sites are connected by the N3 network.
The big sticking points are the large hospital trusts and their systems; in London and the south the system of choice was Cerner Millennium (a bastardised billing system from the US market not particularly well suited to the NHS), and in the North it was iSOFT's Lorenzo (a web-based system built specifically for the NHS, but built by coders in India who have no idea how the NHS works). In all fairness, despite its lack of suitability Millennium is up and running at quite a number of big hospitals. Lorenzo has been delayed for many years and is only just becoming usable, although it's hardly what one could describe as feature rich at this point in time.
Aside from software issues, one of the major issues the suppliers had was trying to be too helpful; every hospital will insist they are somehow unique and by pandering to every possible requirement the scope of the software build simply exploded.
Trivialising the scale of the task shows considerable naivety in the working of the NHS, but it definitely could have been done at a fraction of the cost. The national-level architecture (NHS Spine) whilst showing its age a little now, is still valid in its construction; a national interchange which any software complying to the relevant messaging standards can interact with.
As you've probably guessed, I'm involved in this particular industry. The intentions from a patient care and modernisation perspective were honourable, but the huge contracts for specific things from specific suppliers were a mistake.
You'll get no argument from me in regard to the shortcomings of Novell's business strategy, but eDirectory was light years ahead of AD for over a decade. AD 2008 is pretty good, but it still lacks many of the enterprise class features of eDirectory. Whilst ConsoleOne was a source of constant irritation bulk user management was trivial when using tools like the JRB utilities. I used to manage an eDirectory with over 100,000 users and it barely broke a sweat.
From a core file/print perspective Netware simply kicked ass; the technology behind filesystems like NSS makes NTFS look positively prehistoric. AD and NTFS don't even have a proper inherited rights implementation, I mean come on?! Layer stuff like Identity Manager, Zen and Storage Manager on top of it and you've got complete workflow management, policy driven desktop config and app delivery, and intelligent dynamic storage management. The clustering support was also excellent.
Of the 2 local universities 1 runs OES (netware services on Linux, basically) and the other moved to Windows. The support costs at the latter went through the roof.
Personally I don't care either way any more; I'm well out of the hands-on NOS management space. What I see these days when recruiting is that those with pure Windows experience can support Windows. Those with Netware experience can support anything.
Slashdot Mirror
You do not need a private key to revoke a certificate. You need the certificate serial number.
The issuer should NEVER set eyes on a private key which isn't theirs. If you want to make life easier for your customer, do it client-side with JavaScript and throw a PFX at them once the issuance has completed.
It still stuns me how many in tech, even CAs, have such a poor understanding of how PKI works.
In the UK in the early/mid 80's we had the BBC Micro which shared the market with the like of the C64 and Spectrum. Pretty standard kit; 6502 CPU with 32k RAM (later 128k on the BBC Master). BASIC was where I started, but it didn't take long to get into writing assembler - somewhat necessary in order to do anything cool like *ahem* copying games which relied on raw sector reads of deleted data on 5.25" floppies as copy protection. Our local radio station even had a computer show on a Wednesday evening where they would play programs out over the air for people to record on their handy tape deck.
When I started high school they had a whole Econet network built around BBC machines with an SJ Research file server. That sparked a whole new interest and, under the premise of writing a multi-user network game, I managed to persuade SJ to send me a load of very useful documentation. A matter of weeks later I was blowing my own PROMs at home and discreetly slotting them into the BBCs in one of the music classrooms. The docs from SJ were what today's coders would describe as "undocumented APIs", but you would essentially just load up the registers and JSR to a particular address to unleash teenage stupidity with gusto.
Instead of trying to steer me toward applying my skills in a more constructive manner, my school decided to ban me from using any computer in the school for a year. Being somewhat "on the spectrum" I went a little off-piste at that point and headed off down the road of rock n roll, girls and weed for a few years; until it became necessary to actually earn a living.
When I came back to computing things had changed a lot and the PC was taking over; it was late 486 and very early Pentium dominating the market which I found fairly easy to slip into. I became relatively capable with a lot of the common languages of the time and whilst I'm decent with x86 it's only on a handful of occasions I've ever needed to write it in the raw.
I don't work as a coder, but that early experience has been enormously valuable in terms of understanding how things actually work under the hood, being able to turn my hand to most common languages when the need arises, and in terms of the problem solving mentality I learned back in the 80's.
I'm guessing you live in the US? If so, erhaps you should petition your local person of power (senator? congressman? whatever) to address the pitiful consumer laws in your country. In Europe such things are legally bound, in terms of products being fit for purpose for their intended lifetime. In the UK this is implemented in (amongst other things) the Sale of Goods Act which gives you significant ammunition in terms of demanding it be fixed for a period of (I believe) up to 5 years.
Genuinely not trying to be a smart ass; you could be in Europe and be unaware of such laws - hopefully you are. Companies, as a matter of course, will conveniently forget to mention these rights until you beat them around the head with them. But then, that's business - deny deny deny, until you're banged to rights.
Agree and disagree...
If the employee has never been cause for concern there's no need to be a dick about it, but this is basic risk management. Pat the guy on the back, knock off early and buy everyone a round of beers. But you have to lock him out. Pay him his notice and let him go.
Certificate Authorities who operate on the scale absolutely do NOT keep private keys of the issuing intermediate available for harvest. That's what HSMs are for; devices which hold the private key material and perform signing operations on behalf of the CA. The CA can never retrieve the private key(s) so compromising the CA in that scenario should never result in private key disclosure.
The main issue is that Oyster does do some level of cleverness. I only ever skimmed the paper so don't recall the details. The main issue in most use cases is that the spec says the token UID should be read-only. When you can buy tokens from China which completely disregard this and let you write sector 0 it's game over immediately for huge swathes of RFID installations which rely on UID alone.
My work ID does door access, printing, loads of stuff. Spoof the UID onto a blank token, remove the chip/antenna, place inside rear cover of watch. Super convenient, but alarmingly easy.
And you know that "tap and go" stuff your credit card has, distinct to the chip & pin functionality, for low-value purchases like a Double Whopper with cheese? Don't even get me started on that...
Honestly, what the actual fuck? Have you listened to yourself?
I don't actually use public transport. I just do some NFC work for the day job and know how weak the keys are in old MiFare stuff. No wonder you posted AC with that outburst of verbal diarrhoea.
Well thanks Anonymous Coward (latin: buffoonus maximus), but that's a bit of a tenuous jump. I don't even use public transport, I'm just a guy who does a bit of NFC engineering for the day job and knows the difference between the wrong way to do it and the way I do it. The token security is weak, certainly, but it's easy to protect against with some very low-overhead crypto.
Old MiFare stuff is toast, security wise. Any old fool can order some UID-writable tokens on eBay from China, grab a copy of libnfc and mfoc, then things get interesting pretty quickly.
Well someone got out the pedantic side of the bed this morning. And no, it's an allocation of my ISP's /16. If I'd got the range from RIPE I wouldn't need PTR delegation would I?
/27 would do me these days, but they don't seem in a hurry to have them back.
I don't actually need the whole block any more, it was something I was doing for a PhD project a few years back. A
Very well put. Getting a large ISP whose staff "follow the flowchart" to provide such things is not as easy as some make out. I have a number of non-catalogue products including bonded FTTC which has saved me a fortune on what I used to pay for dedicated hosting (I don't need 5 9's uptime). Instead of a call centre grunt giving a standard "We don't provide that service" response, I get a technically literate person on the end of the phone who understands what I'm asking for and says "Let me have a word, see what we can do". You pay for that kind of service, but for me it's worth it.
Not A&A actually, but along those lines. It's a little more than just PTR NS records, but that's not really relevant to the discussion.
Personally I'm not a big user of these kind of services, but it's only a handful of the "big" ISPs who are doing the blocking. I prefer a more personal service so I use a small ISP which offers special geeky extras (full class C, reverse NS delegation etc) and they perform no such blocking. But even if I didn't it's trivial to bypass such blunt instruments.
The proper way to do it is to have a 100% offline CA with its key material split over a number of smart cards so the CA can only be brought up periodically for signing purposes when a certain number of cards are present (say 3 of 5) and even then you use an HSM which performs all activities hence the private key is never accessible even if you wanted it to be. You store the cards in fireproof safes in geographically dispersed secure physical locations, cardholders travel by different modes of transport, at different times of day, stay at different hotels etc. For day-to-day certificate issuance and signing you have a subordinate CA sat in a networked HSM. That way there can only ever be a minuscule (I'd never use the word impossible) risk that the root CA can be compromised and you maintain the ability to revoke the day-to-day CA.
90% of a good PKI is process and governance, not the technology itself.
I suspect what's going on here is that the NSA has the ability to cut certs for things like *.google.com, *.facebook.com etc from a trusted commercial CA whose root is already installed in everybody's browser, hence they can man-in-the-middle the traffic without raising alarm. A few sneaky BGP advertisements and this would be surprisingly easy to do.
It's pretty shocking to read most of the comments on here and realise that very few people actually know how PKI works even at the most basic level.
I decided, having had a couple of stiff ones (drinks) this evening, to drop them a line via the website in an attempt to contribute a tiny amount of sanity and/or education.
Unfortunately I was told my email could not contain anything other then [0-9|a-z] IN THE BODY and due to my use of punctuation I was not allowed to email them. I was going to "correct" my correspondence, but the I thought "fuck it, I've got work tomorrow", and I have a glass of wine and 2/3 of a frankly very good cigar to do in.
I figured it probably would. I used to love working with Novell products and used to proudly have all my CNE/CNI certs framed in the office but left that organisation (education) before I had chance to get involved in transitioning from Netware to OES2 on SuSE. Now sat up in management towers wishing I could still be getting my hands dirty. Such is life.
I realise Novell aren't exactly a powerhouse any more, but does anyone else remember about 5 years ago when they released Domain Services for Windows? That was basically Samba 4, but using eDirectory and NSS (that's a proper man's filesystem, for you young kids) as the back end. I only played with it briefly whilst at my last employer, but damn did it rock... All the NSS clustering and good bits of Novell tech were totally transparent. The only time you knew you were talking to a Linux box was if you opened up a DC in MMC and looked at its properties, where it said something along the lines of "SuSE Linux Open Enterprise Server".
Fairly obvious that Jeremy A was largely responsible for DSfW, just a shame that stuff was most likely locked up as Novell IP and off limits to Samba 4.
Amen to that. I smoke 4 or 5 per day, yet I don't smell of smoke and I run 10k several times a week. This policy is so ignorant and persecutory it reminds me of Hitler's attack on smokers in the 1930s. Perhaps his dream has finally become a reality... in the USA.
I smoke very well prepared and frankly rather expensive rolling tobacco. It is a very pleasant experience which I usually combine with several large glasses of quality red wine to relax and spend time with my wife away from writing code and dealing with a severely pressurised job. Having worked in the US I turned down a green card around 2 years ago because, well, it's a very oppressive place to be right now. The phrase "land of the free" has become laughable. Most Americans bend over and take it because it's happened bit-by-bit and they have gradually adjusted, but just like Windows malware protection if the whole shebang hit you all at once there would be uproar.
In all honesty the UK is probably only 5 years behind, which is why I have just accepted a job in a far more tolerant western nation. Goodbye and good riddance is my current frame of mind.
Pedantic I know, but look at what you wrote and what the diagrams show you. You wrote Britain, which is short for Great Britain; not British Isles or British Islands. Great Britain does not contain the whole of the UK. The UK however does contain the whole of Great Britain.
Negative.
To give it its full title.... The United Kingdom of Great Britain and Northern Ireland.
GB = England, Scotland, Wales.
UK = GB + NI.
Before independence they were British people living in a British territory. Your analogy != sense.
Try aviation GPS, that's a whole new level of comfortable. Instead of correlating the information presented to you by a bunch of different gauges tuned to 60yr old radio beacons you just follow the pink line. Need to land at an airport in thick fog? No problem; switch on approach mode and simply fly through the boxes displayed on the screen, or enable synthetic vision mode and you essentially get a video-game recreation of the terrain, runway, everything.. just not the fog.
Another poster was right, GPS is just a bunch of clocks sending out pulses whose transit times you compare to establish location, but the quality of applications designed around it is simply stunning. One of the best inventions of the 20th century in my opinion.
Not the case for CSC though. They're on pay-per-deployment. When trying to deploy a single-instance system shared between many organisations with minimal tiered config scope creep is bad. Very bad.
It's a shame these big contracts are being allowed to tarnish all the achievements which have been made. Digital x-rays, scans etc enjoy 100% coverage across the UK; consultants can get a second opinion from someone 100 miles away in minutes, instead of sending x-rays in the back of a taxi to another city.
Electronic referrals from GPs (family doctors) for hospital treatment are in the tens of thousands per day and GP2GP record transfers for people changing doctors are becoming widespread. All NHS sites are connected by the N3 network.
The big sticking points are the large hospital trusts and their systems; in London and the south the system of choice was Cerner Millennium (a bastardised billing system from the US market not particularly well suited to the NHS), and in the North it was iSOFT's Lorenzo (a web-based system built specifically for the NHS, but built by coders in India who have no idea how the NHS works). In all fairness, despite its lack of suitability Millennium is up and running at quite a number of big hospitals. Lorenzo has been delayed for many years and is only just becoming usable, although it's hardly what one could describe as feature rich at this point in time.
Aside from software issues, one of the major issues the suppliers had was trying to be too helpful; every hospital will insist they are somehow unique and by pandering to every possible requirement the scope of the software build simply exploded.
Trivialising the scale of the task shows considerable naivety in the working of the NHS, but it definitely could have been done at a fraction of the cost. The national-level architecture (NHS Spine) whilst showing its age a little now, is still valid in its construction; a national interchange which any software complying to the relevant messaging standards can interact with.
As you've probably guessed, I'm involved in this particular industry. The intentions from a patient care and modernisation perspective were honourable, but the huge contracts for specific things from specific suppliers were a mistake.
You ARE joking, right?
You'll get no argument from me in regard to the shortcomings of Novell's business strategy, but eDirectory was light years ahead of AD for over a decade. AD 2008 is pretty good, but it still lacks many of the enterprise class features of eDirectory. Whilst ConsoleOne was a source of constant irritation bulk user management was trivial when using tools like the JRB utilities. I used to manage an eDirectory with over 100,000 users and it barely broke a sweat.
From a core file/print perspective Netware simply kicked ass; the technology behind filesystems like NSS makes NTFS look positively prehistoric. AD and NTFS don't even have a proper inherited rights implementation, I mean come on?! Layer stuff like Identity Manager, Zen and Storage Manager on top of it and you've got complete workflow management, policy driven desktop config and app delivery, and intelligent dynamic storage management. The clustering support was also excellent.
Of the 2 local universities 1 runs OES (netware services on Linux, basically) and the other moved to Windows. The support costs at the latter went through the roof.
Personally I don't care either way any more; I'm well out of the hands-on NOS management space. What I see these days when recruiting is that those with pure Windows experience can support Windows. Those with Netware experience can support anything.