Re: Problem with IIS5 - "expired" CRLs not working?

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 04/02/04


Date: Thu, 1 Apr 2004 14:08:37 -0800

To close on this mail thread with everyone, we believe we have found a
hotfix with IIS 5.0 that corrects this problem.

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message
news:ea8qMwzFEHA.2428@tk2msftngp13.phx.gbl...
> Hi,
>
> Theory (in lieu of being able to find any information on the
> CERT_CHAIN_POLICY... flags):
>
> If I'm understanding things, CAPIMON shows the calls to CryptoAPI,
including
> calls from IIS5 itself, and parameters in such calls.
>
> If I'm interpreting things correctly from the CAPIMONUI output, something
> (presumably IIS5) is calling  CertVerifyCertificateChainPolicy() with
flags
> that tell CertVerifyCertificateChainPolicy() not to pay attention to the
> time validity of what it's checking, i.e., "Don't worry whether or not any
> of the things you're checking are within their validity period".
>
> Is this possible?
>
> If so, this might seem to explain why IIS5 appears to be ignoring the
> validity period of the CRLs?
>
> Jim
>
>
>
> "Ohaya" <ohaya@cox.net> wrote in message news:406AE6FA.EE63FFD6@cox.net...
> > David,
> >
> > Ok, sorry, I missed this.
> >
> > During a connect with a good client cert, I am getting 4 lines with my
> > root CA name in the "End Entity".
> >
> > These 4 lines come in pairs, with the call to CertGetCertificateChain
> > first, then a call to CertVerifyCertificateChainPolicy immediately after
> > that.  All 4 calls have Status "OK".
> >
> > I don't know what this means, but I noticed that in the calls to
> > CertVerifyCertificateChainPolicy, it's showing at the bottom:
> >
> > Policy Para:
> > Flags: 0x00000007
> > CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG (0x00000001)
> > CERT_CHAIN_POLICY_IGNORE.... (0x00000002)
> > CERT_CHAIN_................. (0x00000004)
> >
> > What are these?  I'm wondering about the "IGNORE_NOT_TIME_VALID" part?
> > Is this saying that CryptoAPI shouldn't check for time validity maybe?
> >
> > Could this be why IIS5 is not considering the client certs revoked when
> > the CRL is expired?
> >
> > Jim
> >
> >
> >
> > Ohaya wrote:
> > >
> > > David,
> > >
> > > I guess the problem might be that I don't know precisely how to
> interpret
> > > the CAPIMONUI display, but the only rows that I see that show an "End
> > > Entity" with my host server cert or my root CA cert name are 2 entries
> at
> > > the very beginning of the CAPIMONUI display, for calls to
> > > CertGetCertificate, which have Status of "OK".
> > >
> > > Then there are a bunch of lines showing "End Entity" that look like
> other
> > > CAs in the "Trusted Root" store (I think).  Some of these show Status
> "OK",
> > > and some show other statuses, e.g., wrong purpose, etc.
> > >
> > > I don't see any entries in the CAPIMONUI display for the 2
"Revocation"
> > > ("Revocation" and "RevocationDLL") calls.
> > >
> > > I'm going to try again with a known revoked cert later, but that's
what
> I'm
> > > seeing in CAPIMONUI.
> > >
> > > Jim
> > >
> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > news:%234rAqOyFEHA.2664@TK2MSFTNGP11.phx.gbl...
> > > > yes, you run CAPIMON on the server.  You don't see your client cert
> being
> > > > checked on the server by IIS?
> > > >
> > > > --
> > > >
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > http://support.microsoft.com
> > > >
> > > > "Ohaya" <ohaya@cox.net> wrote in message
> news:406A2419.7FB65A37@cox.net...
> > > > > Hi,
> > > > >
> > > > > Ok, I changed all the "ErrorAll" to "LogAll", and now the 1st 2
> entries
> > > > > in the output are CertGetCertificate with "End Entity" being my
> server
> > > > > cert name.  Both of these have "Status" of "OK", with "Return" of
> > > > > "Success".  Then there are the alternating calls with other End
> Entity,
> > > > > etc., some of which have errors, and some of which succeed.
> > > > >
> > > > > I don't get any of the "Revocation" calls, either successful or
> failed.
> > > > >
> > > > > I'm not quite sure how much more info this gives?
> > > > >
> > > > > Jim
> > > > >
> > > > >
> > > > >
> > > > > Ohaya wrote:
> > > > > >
> > > > > > David,
> > > > > >
> > > > > > I think I've figured out basically how to use CAPIMON.
> > > > > >
> > > > > > With the default capimon_filter.inf, I did a connect from IE to
> IIS5
> > > > > > with a client certificate, but I am only getting a series of
> > > alternating
> > > > > > calls to CertGetCertificateChain and
> CertVerifyCertificateChainPolicy,
> > > > > > with the End Entity/Root Cert columns showing some of the
built-in
> > > root
> > > > > > cert that come with Windows.  None of these have my root CA
cert,
> and
> > > > > > none of the revocation-related calls are listed.
> > > > > >
> > > > > > I'm suppose to install CAPIMON on my IIS machine, right?  Not on
> the
> > > > > > client machine, right?
> > > > > >
> > > > > > CAPIMON seems to be a bit "picky".  After I do a
"capimon -stop",
> > > seems
> > > > > > like I have to do a reboot before I do another "capimon -start".
> > > > > > Otherwise, capimon doesn't seem to record anything.
> > > > > >
> > > > > > Jim
> > > > > >
> > > > > > Ohaya wrote:
> > > > > > >
> > > > > > > David,
> > > > > > >
> > > > > > > I installed CAPIMON per your suggestion, last night, but I'm
> still
> > > > trying to
> > > > > > > figure out how to use it :).  It looks like it installs some
> kind of
> > > > "shim"
> > > > > > > in front of the CryptoAPI?  Sorry to ask, but what exactly do
> you
> > > > suggest I
> > > > > > > setup for the filters(?)?  I'm trudging my way through the
> docs...
> > > > > > >
> > > > > > > Jim
> > > > > > >
> > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
> message
> > > > > > > news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl...
> > > > > > > > I am not an expert on IIS, but I would need some more
> information
> > > to
> > > > help
> > > > > > > > you troubleshoot the issue.  Can you install CAPIMON and
shim
> IIS5
> > > > and
> > > > > > > > determine what error (or status) is being returned by
> CryptoAPI to
> > > > IIS?
> > > > > > > > That will help us determine if:
> > > > > > > >
> > > > > > > > 1) CryptoAPI is returning the right status to IIS
> > > > > > > >
> > > > > > > > 2)  Is IIS determining the right action based on this status
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > >
> > >
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > >
> > > > > > > > David B. Cross [MS]
> > > > > > > >
> > > > > > > > --
> > > > > > > > This posting is provided "AS IS" with no warranties, and
> confers
> > > no
> > > > > > > rights.
> > > > > > > >
> > > > > > > > http://support.microsoft.com
> > > > > > > >
> > > > > > > > "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message
> > > > > > > > news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl...
> > > > > > > > > David,
> > > > > > > > >
> > > > > > > > > Just to be clear, with our config, with Win2K/IIS5,
> revocation
> > > > checking
> > > > > > > IS
> > > > > > > > > occurring.  I can revoke a cert, import the new CRL into
the
> > > ICA,
> > > > and
> > > > > > > > voila,
> > > > > > > > > connecting using the revoked cert will fail with 403.13.
> > > > > > > > >
> > > > > > > > > Revocation checking, per se, is NOT the problem.
> > > > > > > > >
> > > > > > > > > The problem is that when the CRL in the ICA is expired,
> things
> > > > keep on
> > > > > > > > > working just as if the CRL was not expired.
> > > > > > > > >
> > > > > > > > > Jim
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
> > > message
> > > > > > > > > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > This may be a nuance with IIS 5.0, but many applications
> treat
> > > > no CDP
> > > > > > > in
> > > > > > > > > > certs as an indicator that revocation does not need to
be
> > > > checked.
> > > > > > > > > >
> > > > > > > > > > Windows Server 2003 CryptoAPI is a little smarter in
that
> even
> > > > if the
> > > > > > > > > > application allows the "no check" status to be
interpreted
> as
> > > > "OK",
> > > > > > > > > > CryptoAPI can return a "bad" status if it finds a CRL in
> the
> > > CA
> > > > store.
> > > > > > > > > >
> > > > > > > > > > As per your reply:
> > > > > > > > > >
> > > > > > > > > > (again my client certs don't have CDP populated).
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > David B. Cross [MS]
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > > confers
> > > > no
> > > > > > > > > rights.
> > > > > > > > > >
> > > > > > > > > > http://support.microsoft.com
> > > > > > > > > >
> > > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> > > > > > > > news:4065F9AB.8B3395C1@cox.net...
> > > > > > > > > > > Hi,
> > > > > > > > > > >
> > > > > > > > > > > I just got done installing Windows 2003 (took me 3
tries
> > > :(),
> > > > and
> > > > > > > > IIS6,
> > > > > > > > > > > and in this clean, "out-of-the-box" configuration, I
> tested,
> > > > and,
> > > > > > > > > > > indeed, it appears that:
> > > > > > > > > > >
> > > > > > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs
> > > (whereas
> > > > > > > Windows
> > > > > > > > > > > 2000 AS apparently does not).
> > > > > > > > > > >
> > > > > > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in
> the
> > > ICA
> > > > store
> > > > > > > > > > > (again my client certs don't have CDP populated).
> > > > > > > > > > >
> > > > > > > > > > > As with the earlier clean-install Win2K AS, this
Win2K3
> > > > install was
> > > > > > > as
> > > > > > > > a
> > > > > > > > > > > standalone server (no AD and no Certificate Services).
> > > > > > > > > > >
> > > > > > > > > > > Re. #2 above, I need to add that initially, obviously,
> there
> > > > was not
> > > > > > > a
> > > > > > > > > > > CRL stored in the ICA, and in this initial
> configuration,
> > > IIS6
> > > > did
> > > > > > > > allow
> > > > > > > > > > > connections.
> > > > > > > > > > >
> > > > > > > > > > > I then did testing using CertMgr to add a CRL (to test
> the
> > > > validity
> > > > > > > > > > > period checking), and after that, I deleted the CRL
from
> the
> > > > ICA.
> > > > > > > > > > >
> > > > > > > > > > > After I deleted the CRL from the ICA, IIS6 would not
> allow
> > > > > > > > connections.
> > > > > > > > > > >
> > > > > > > > > > > Jim
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Ohaya wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > David,
> > > > > > > > > > > >
> > > > > > > > > > > > Thank goodness you're still here!!
> > > > > > > > > > > >
> > > > > > > > > > > > I'll check on CAPIMON and with the registry thing
you
> > > > pointed to,
> > > > > > > > but
> > > > > > > > > > FYI,
> > > > > > > > > > > > I'm starting to come to the conclusion that this
(and
> > > > another
> > > > > > > > problem)
> > > > > > > > > > are
> > > > > > > > > > > > Win2K AS-related (vs. Win2K3).  Let me try to
> explain...
> > > > > > > > > > > >
> > > > > > > > > > > > Late last year, when I first started testing, I
> started
> > > with
> > > > a
> > > > > > > > Win2K3
> > > > > > > > > > > > installation.  During that time, I began keeping a
> project
> > > > > > > notebook,
> > > > > > > > > > where I
> > > > > > > > > > > > commented on my test results (including a lot of the
> > > > conversations
> > > > > > > I
> > > > > > > > > had
> > > > > > > > > > > > here and on the inetserver.iis.security NG).
> According to
> > > > my
> > > > > > > notes
> > > > > > > > at
> > > > > > > > > > that
> > > > > > > > > > > > time, I confirmed that Win2K3/IIS6 did a couple of
> things
> > > > (that
> > > > > > > were
> > > > > > > > > > good,
> > > > > > > > > > > > security-wise):
> > > > > > > > > > > >
> > > > > > > > > > > > - It obeyed the CRL validity period (Next Update
date,
> > > > etc.), and
> > > > > > > > > > > > - If no CRL was in the ICA store (deleted from store
> using
> > > > > > > > CertMgr.exe
> > > > > > > > > > and
> > > > > > > > > > > > confirmed using the MMC Certificates snap-in), IIS6
> would
> > > > not
> > > > > > > allow
> > > > > > > > > > > > connections at all for the website.
> > > > > > > > > > > >
> > > > > > > > > > > > As I continued testing, I eventually got a Win2K AS
CD
> > > from
> > > > my
> > > > > > > > > company,
> > > > > > > > > > > > since what we were actually going to stand up were
> Win2K
> > > AS
> > > > > > > > machines.
> > > > > > > > > > > >
> > > > > > > > > > > > From my notes from that time, it appears that I did
> not go
> > > > back
> > > > > > > and
> > > > > > > > > > check
> > > > > > > > > > > > those 2 behaviors that I mentioned above related to
> CRL
> > > > > > > processing.
> > > > > > > > > > > >
> > > > > > > > > > > > I really should have noticed at least the first
> problem, a
> > > > LONG
> > > > > > > time
> > > > > > > > > > ago,
> > > > > > > > > > > > since the Next Update date on the test CRLs that I
got
> was
> > > > January
> > > > > > > > 29,
> > > > > > > > > > 2004,
> > > > > > > > > > > > but very stupidly on my part, I didn't :(...
> > > > > > > > > > > >
> > > > > > > > > > > > In other words, we're using these same test CRLs in
a
> > > couple
> > > > of
> > > > > > > > > > different
> > > > > > > > > > > > test labs (all running Win2K Server or Advanced
> Server),
> > > and
> > > > > > > they're
> > > > > > > > > ALL
> > > > > > > > > > > > still working, and I didn't even think about it.
> Darn!!!
> > > > > > > > > > > >
> > > > > > > > > > > > Just recently, I started putting together a "Lessons
> > > > Learned"
> > > > > > > > document
> > > > > > > > > > for
> > > > > > > > > > > > my company, and actually for our partner community,
> and in
> > > > > > > beginning
> > > > > > > > > to
> > > > > > > > > > do
> > > > > > > > > > > > that, I started going back through my notes and
trying
> to
> > > > > > > reproduce
> > > > > > > > > the
> > > > > > > > > > > > results that I had documented in my notes.
> > > > > > > > > > > >
> > > > > > > > > > > > And, that's when I started finding these
> > > > differences/problems.
> > > > > > > > > > > >
> > > > > > > > > > > > I am going to have to try to recreate my earlier
> Win2K3
> > > > > > > environment,
> > > > > > > > > but
> > > > > > > > > > > > I've already created a clean install of Win2K AS
> (SP4),
> > > and
> > > > with
> > > > > > > the
> > > > > > > > > > Win2K
> > > > > > > > > > > > AS, it is definitely working with the expired CRLs,
> and
> > > IIS5
> > > > > > > > > definitely
> > > > > > > > > > is
> > > > > > > > > > > > not shutting down websites that are SSL (client)
> secured
> > > > when I
> > > > > > > > delete
> > > > > > > > > > the
> > > > > > > > > > > > CRL from the ICA store.
> > > > > > > > > > > >
> > > > > > > > > > > > Once I get some time to rebuild a Win2K3
environment,
> I'll
> > > > try
> > > > > > > this
> > > > > > > > > > again,
> > > > > > > > > > > > but unless my (voluminous) notes are completely
> whacked, I
> > > > think
> > > > > > > > that
> > > > > > > > > > I'm
> > > > > > > > > > > > going to find that Win2K3 does obey the CRL
expiration
> > > date
> > > > and
> > > > > > > does
> > > > > > > > > > lock
> > > > > > > > > > > > down the SSL (client) secured websites when I delete
> the
> > > CRL
> > > > from
> > > > > > > > the
> > > > > > > > > > ICA
> > > > > > > > > > > > store.
> > > > > > > > > > > >
> > > > > > > > > > > > Our policy and standard maintenance practices do
call
> for
> > > > ensuring
> > > > > > > > > that
> > > > > > > > > > the
> > > > > > > > > > > > CRLs are both populated and updated, so hopefully
this
> > > won't
> > > > be a
> > > > > > > > > > problem,
> > > > > > > > > > > > but if things turn out the way I'm alluding to
above,
> > > these
> > > > 2
> > > > > > > > problems
> > > > > > > > > > seem
> > > > > > > > > > > > like a kind of major problem in Win2K AS/IIS5?
> > > > > > > > > > > >
> > > > > > > > > > > > Will post back, but probably not immediately...
> > > > > > > > > > > >
> > > > > > > > > > > > Jim
> > > > > > > > > > > >
> > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com>
wrote
> in
> > > > message
> > > > > > > > > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > > > > As an additional troubleshooting step, you can use
> > > CAPIMON
> > > > to
> > > > > > > > debug
> > > > > > > > > > > > exactly
> > > > > > > > > > > > > what IIS is doing and what information is being
> returned
> > > > by
> > > > > > > > > CryptoAPI
> > > > > > > > > > > > > through CAPIMON:
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > >
> > >
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > David B. Cross [MS]
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > This posting is provided "AS IS" with no
warranties,
> and
> > > > confers
> > > > > > > > no
> > > > > > > > > > > > rights.
> > > > > > > > > > > > >
> > > > > > > > > > > > > http://support.microsoft.com
> > > > > > > > > > > > >
> > > > > > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in
message
> > > > > > > > > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > > > > > > > > > > > > > Hi,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I have a new/clean Win2K Advanced Server
> installation
> > > > with
> > > > > > > IIS5.
> > > > > > > > > > This
> > > > > > > > > > > > > > machine is a standalone server, i.e., it is not
a
> > > member
> > > > of a
> > > > > > > > > > domain,
> > > > > > > > > > > > > > and I've updated Win2K through SP4.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > The IIS5 website is configured for SSL with
client
> and
> > > > server
> > > > > > > > > > > > > > authentication, and that part is working.  My
> server
> > > and
> > > > > > > client
> > > > > > > > > > certs
> > > > > > > > > > > > > > are issued by a 3rd party CA, and all the client
> certs
> > > > do not
> > > > > > > > have
> > > > > > > > > > the
> > > > > > > > > > > > > > CDP populated.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > For my testing earlier, my CA provided me with
> several
> > > > test
> > > > > > > > CRLs,
> > > > > > > > > > along
> > > > > > > > > > > > > > with associated client certs, and I've been
using
> > > > CertMgr.exe
> > > > > > > to
> > > > > > > > > > import
> > > > > > > > > > > > > > the test CRLs into the Intermediate
Certification
> > > > Authorities
> > > > > > > > > (ICA)
> > > > > > > > > > > > > > store during my testing.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > However, today I noticed that the test CRLs all
> have a
> > > > "Next
> > > > > > > > > Update"
> > > > > > > > > > > > > > date of 1/29/04, and since today is 3/26/04, I
> can't
> > > > > > > understand
> > > > > > > > > how
> > > > > > > > > > > > > > these CRLs could still be working.  It seems
like
> they
> > > > should
> > > > > > > be
> > > > > > > > > > > > > > considered invalid and that since IIS5 is
calling
> > > > CryptoAPI to
> > > > > > > > do
> > > > > > > > > > the
> > > > > > > > > > > > > > CRL checking, that I should be getting some kind
> of
> > > > error?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I've checked the system date on the server, and
> it's
> > > > > > > definitely
> > > > > > > > > > correct
> > > > > > > > > > > > > > (today's date), so I'm really puzzled.  I really
> have
> > > > the
> > > > > > > > > impression
> > > > > > > > > > > > > > that CryptoAPI (and thus IIS5) would throw some
> kind
> > > of
> > > > error
> > > > > > > if
> > > > > > > > > the
> > > > > > > > > > CRL
> > > > > > > > > > > > > > was not within the validity period.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Can someone explain why these
> out-of-validity-period
> > > > CRLs
> > > > > > > still
> > > > > > > > > seem
> > > > > > > > > > to
> > > > > > > > > > > > > > work all right?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Thanks,
> > > > > > > > > > > > > > Jim
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > >
> > > >
>
>


Relevant Pages

  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... David B. Cross -- ... > If I'm interpreting things correctly from the CAPIMONUI output, something> is calling CertVerifyCertificateChainPolicy() with flags> that tell CertVerifyCertificateChainPolicynot to pay attention to the ... >>> the very beginning of the CAPIMONUI display, ... >>> I'm going to try again with a known revoked cert later, ...
    (microsoft.public.inetserver.iis)
  • Re: ruby certification
    ... Do you think that is any better than 90 classroom hours spaced out over ... of respect for what Mr. David Black does for the Ruby and also the ... programmer learning another language. ... someone to help you on something very important, would a cert matter ...
    (comp.lang.ruby)
  • Re: Expiration Of Certificates
    ... David B. Cross ... Troubleshooting Certificate Status and Revocation whitepaper: ... >> perform new encryption without enrollment for a new valid cert. ... >> Troubleshooting Certificate Status and Revocation whitepaper: ...
    (microsoft.public.security)
  • Re: ruby certification
    ... of respect for what Mr. David Black does for the Ruby and also the ... I don't have a problem with the certificate designation because I ... you have to hand in homework assignments that Ryan Davis grades ... someone to help you on something very important, would a cert matter ...
    (comp.lang.ruby)