ljr/wcmtools/openid/perl/Net-OpenID-Server/ChangeLog

0.09:
	* version 1.1 of the protocol, with 1.0 as a "compat" option
	  (where both 1.0 and 1.1 response keys are sent) compat is either
	  on, off, or unspecified, in which case it's on by default for
	  one month

0.08:
        * security fix, as pointed out by meepbear: check_authentication
	  shouldn't honor signature verification requests using
	  assoc_handles that were given out in associate requests.  that
	  means that we must be able to distinguish (internally) handles
	  that were given out to "dumb" consumbers (stateless) vs. ones we
	  gave out in associate requests.

	  for more information, see:
	      http://lists.danga.com/pipermail/yadis/2005-July/001144.html
0.07:
	* openid.mode=cancel support

        * invalidate_handle support

	* fix a call to error_page that should've been _error_page

	* _secret_of_handle now only takes an assoc_handle, not
	  also an assoc_type, as an assoc_handle should always
	  self-imply its type

0.06:
	* make rand_chars public

	* remove old DSA-based code

	* test suite for new DH/HMAC-based code

0.05:
        * start implementing the new DH + HMAC-SHA1 spec, instead
	  of being DSA-based.  The DSA code is still working for now,
	  and it'll do either protocol, but it'll be removed in time.

0.04:
	* add "signed_return" method and docs

	* require Convert::PEM 0.07, which was always required,
	  but I forgot its version number before

	* add "redirect_for_setup" option on handle_page and docs

0.03:
        * stupid push_url_arg bugfix

	* more tests

0.02:
        * checkid_immediate vs checkid_setup mode (handle_page can return
	  $type of "setup")

0.01:
        * initial release.  test suite works.  no example app yet.

	* requires Crypt::DSA or Crypt::OpenSSL::DSA
init 2019-02-05 21:49:12 +00:00			`0.09:`
			`* version 1.1 of the protocol, with 1.0 as a "compat" option`
			`(where both 1.0 and 1.1 response keys are sent) compat is either`
			`on, off, or unspecified, in which case it's on by default for`
			`one month`

			`0.08:`
			`* security fix, as pointed out by meepbear: check_authentication`
			`shouldn't honor signature verification requests using`
			`assoc_handles that were given out in associate requests. that`
			`means that we must be able to distinguish (internally) handles`
			`that were given out to "dumb" consumbers (stateless) vs. ones we`
			`gave out in associate requests.`

			`for more information, see:`
			`http://lists.danga.com/pipermail/yadis/2005-July/001144.html`
			`0.07:`
			`* openid.mode=cancel support`

			`* invalidate_handle support`

			`* fix a call to error_page that should've been _error_page`

			`* _secret_of_handle now only takes an assoc_handle, not`
			`also an assoc_type, as an assoc_handle should always`
			`self-imply its type`

			`0.06:`
			`* make rand_chars public`

			`* remove old DSA-based code`

			`* test suite for new DH/HMAC-based code`

			`0.05:`
			`* start implementing the new DH + HMAC-SHA1 spec, instead`
			`of being DSA-based. The DSA code is still working for now,`
			`and it'll do either protocol, but it'll be removed in time.`

			`0.04:`
			`* add "signed_return" method and docs`

			`* require Convert::PEM 0.07, which was always required,`
			`but I forgot its version number before`

			`* add "redirect_for_setup" option on handle_page and docs`

			`0.03:`
			`* stupid push_url_arg bugfix`

			`* more tests`

			`0.02:`
			`* checkid_immediate vs checkid_setup mode (handle_page can return`
			`$type of "setup")`

			`0.01:`
			`* initial release. test suite works. no example app yet.`

			`* requires Crypt::DSA or Crypt::OpenSSL::DSA`