* _mode_checkid(): Pass 'ns' through setup_map.
          (reported and fixed by Sergey Homenkow.)

        * signed_return_url(): verify and remove 'realm', if provided.
          (reported and fixed by Sergey Homenkow.)

        * "10.2.1. In Response to Immediate Requests" (Negative Assertions)
          OpenID2 return 'mode=setup_needed' and 'ns',
          OpenID1 return 'mode=id_res' and 'user_setup_url'.
	  (reported and fixed by Sergey Homenkow.)

	* "8.2.4. Unsuccessful Response Parameters" (Establishing Associations)
          "If the OP does not support a session type or association type, it MUST
          respond with a direct error message indicating that the association
          request failed." (reported and fixed by Sergey Homenkow.)

        * Fix our openid.signed list to be consistent with what we
          actually sign when empty fields are present.
          Reported and fixed by Igor Gariev <gariev@hotmail.com>.

        * Don't include op_endpoint in 1.1 assertion messages.


	* OpenID 2.0 support from kazeburo from mixi.jp.

0.13: 2007-09-09

	* remove test's non-used/non-declared "use" of DSA modules.
	  makes test in auto-testers now.  also remove dead/old tests.

0.12: 2007-09-03

	* make ->err method return false when no error:

	* doc fix: http://rt.cpan.org/Ticket/Display.html?id=29110

        * doc fix in abstract (was previously copy/pasted from the
	consumer module)

0.11: (2007-04-16) - after year+ of being in svn, but not released. :)

	* basic support for OpenID extensions (2006-03-13)

0.10: (2005-09-01)
        * fix up old docs which mentioned the ancient public_key and
	  private_key parameters

	* fix some warnings in make test.  (Tatsuhiko Miyagawa)

	* version 1.1 of the protocol, with 1.0 as a "compat" option
	  (where both 1.0 and 1.1 response keys are sent) compat is either
	  on, off, or unspecified, in which case it's on by default for
	  one month

        * security fix, as pointed out by meepbear: check_authentication
	  shouldn't honor signature verification requests using
	  assoc_handles that were given out in associate requests.  that
	  means that we must be able to distinguish (internally) handles
	  that were given out to "dumb" consumbers (stateless) vs. ones we
	  gave out in associate requests.

	  for more information, see:
	* openid.mode=cancel support

        * invalidate_handle support

	* fix a call to error_page that should've been _error_page

	* _secret_of_handle now only takes an assoc_handle, not
	  also an assoc_type, as an assoc_handle should always
	  self-imply its type

	* make rand_chars public

	* remove old DSA-based code

	* test suite for new DH/HMAC-based code

        * start implementing the new DH + HMAC-SHA1 spec, instead
	  of being DSA-based.  The DSA code is still working for now,
	  and it'll do either protocol, but it'll be removed in time.

	* add "signed_return" method and docs

	* require Convert::PEM 0.07, which was always required,
	  but I forgot its version number before

	* add "redirect_for_setup" option on handle_page and docs

        * stupid push_url_arg bugfix

	* more tests

        * checkid_immediate vs checkid_setup mode (handle_page can return
	  $type of "setup")

        * initial release.  test suite works.  no example app yet.

	* requires Crypt::DSA or Crypt::OpenSSL::DSA