diff --git a/ChangeLog b/ChangeLog
index 8584d47b8cef8add0662577c40c0e45a6cb04e4a..75af1b3664ec5bdb23e0efd74b1905161221f0f0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+train-2011.08.25:
+  * created command line load generation tool and performance analysis work: #125
+  * beginning unit/functional tests for front end: #183
+  * front end refactor to facilitate unit/functional tests and UX iteration: #183
+  * error messages are shown on front end: #184
+  * users must now verify account ownership before attempting a key sync.
+  * manage page date format: #191
+  * manage page button only displayed if user is currently authenticated: #195
+  * manage page emails are synced on page open: #181
+  * wsapi_client created for clients needing programatic access to wsapi.
+  * harden set_key against duplicate keys.
+  * fix new email addresses added not being synced on client: #199
+  * upgrade to bcrypt 0.2.4.
+  * minify include.js by default: #206
+  * more than one email address can be added per dialog lifespan: #215
+  * verifyier no longer verifies assertions issued by another server.
+
 train-2011.08.18:
   * upon clickthrough of the email link, don't have the browser window close itself: #162
   * passwords must be between 8 and 80 chars: #155
diff --git a/browserid/static/dialog/controllers/authenticate_controller.js b/browserid/static/dialog/controllers/authenticate_controller.js
index 7d337bc41bc9f5c918b6828997ec5d4213574268..edd353dcccbf23b398e4f2f3ad877c59f686f7e7 100644
--- a/browserid/static/dialog/controllers/authenticate_controller.js
+++ b/browserid/static/dialog/controllers/authenticate_controller.js
@@ -1,5 +1,5 @@
-/*jshint brgwser:true, jQuery: true, forin: true, laxbreak:true */                                             
-/*global Channel:true, CryptoStubs:true, alert:true, errorOut:true, setupChannel:true, getEmails:true, clearEmails: true, console: true, _: true, pollTimeout: true, addEmail: true, removeEmail:true, BrowserIDNetwork: true, BrowserIDWait:true, BrowserIDErrors: true, PageController: true */ 
+/*jshint brgwser:true, jQuery: true, forin: true, laxbreak:true */
+/*global Channel:true, CryptoStubs:true, alert:true, errorOut:true, setupChannel:true, getEmails:true, clearEmails: true, console: true, _: true, pollTimeout: true, addEmail: true, removeEmail:true, BrowserIDNetwork: true, BrowserIDWait:true, BrowserIDErrors: true, PageController: true */
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
@@ -52,7 +52,7 @@
     "#forgotpassword click": function(event) {
       this.close("authenticate:forgotpassword");
     },
-            
+
     "#create click": function(event) {
       this.close("authenticate:createuser");
     },
@@ -72,13 +72,13 @@
       BrowserIDIdentities.authenticateAndSync(email, pass, function(authenticated) {
         if (authenticated) {
           self.doWait(BrowserIDWait.authentication);
-        } else {
-          self.find("#nosuchaccount").hide().fadeIn(400);
         }
       },
       function(authenticated) {
         if (authenticated) {
           self.close("authenticate:authenticated");
+        } else {
+          self.find("#nosuchaccount").hide().fadeIn(400);
         }
       }, self.getErrorDialog(BrowserIDErrors.authentication));
     }
diff --git a/browserid/static/dialog/views/addemail.ejs b/browserid/static/dialog/views/addemail.ejs
index c8f21a33e95bafed00558251737fe0caef5f1072..2c65986ecd94803c2cf28a454798f5c276214e84 100644
--- a/browserid/static/dialog/views/addemail.ejs
+++ b/browserid/static/dialog/views/addemail.ejs
@@ -3,7 +3,7 @@
     <div class="summary">Setting up a new email address is easy, tell us what it is and we'll get started:</div>
     <div class="formRow">
       <label for="email_input">Email</label>
-      <input type="email" id="email_input" required/>
+      <input type="email" id="email_input" autocapitalize="off" autocorrect="off" required/>
       <span class="note"></span>
     </div>
   </div>
diff --git a/browserid/static/dialog/views/authenticate.ejs b/browserid/static/dialog/views/authenticate.ejs
index c1e1c7fdd7cf1dd632879188419e030796e9fbd1..59601fbedede4c0ecaa25aa5dbc21936f7aa0ccb 100644
--- a/browserid/static/dialog/views/authenticate.ejs
+++ b/browserid/static/dialog/views/authenticate.ejs
@@ -2,7 +2,7 @@
     <p class="prompt">Signing into <span class="sitename bad"><%= sitename %></span>:</p>
     <div class="formRow">
       <label for="email_input"> Email </label>
-      <input type="email" id="email_input" required />
+      <input type="email" id="email_input" autocapitalize="off" autocorrect="off" required />
     </div>
     <div class="formRow">
       <label for="password_input"> Password </label>
diff --git a/browserid/static/dialog/views/create.ejs b/browserid/static/dialog/views/create.ejs
index 14b29914bd5ea3ce94b4b171b61394eca4f71931..7bafe11ea5efb6aab72874fe01e6b27b1d28575b 100644
--- a/browserid/static/dialog/views/create.ejs
+++ b/browserid/static/dialog/views/create.ejs
@@ -2,7 +2,7 @@
     <div class="summary">BrowserID makes signing in <b>safer and easier</b>.  To begin, please provide an email address and pick a password:</div>
     <div class="formRow">
       <label for="email_input"> Email </label>
-      <input id="email_input" type="email" required/>
+      <input id="email_input" type="email" autocapitalize="off" autocorrect="off" required/>
       <span class="note" id="email_input_note" style="display:none;">
         <span class="good">Not registered</span>
       </span>
diff --git a/browserid/static/dialog/views/forgotpassword.ejs b/browserid/static/dialog/views/forgotpassword.ejs
index d9d7948b3197143e22dd0086cded056004350c59..974ab45356006dc6ca7479e6c1a1834414e098fa 100644
--- a/browserid/static/dialog/views/forgotpassword.ejs
+++ b/browserid/static/dialog/views/forgotpassword.ejs
@@ -2,7 +2,7 @@
     <div class="summary"><b>Forgot your password?</b>  No problem!  Enter your email address, pick a new password, and we'll get you set up again!</div>
     <div class="formRow">
       <label for="email_input"> Email </label>
-      <input id="email_input" type="email" required/>
+      <input id="email_input" type="email" autocapitalize="off" autocorrect="off" required/>
       <span class="note" id="email_input_note" style="display:none;"><span class="good">Not registered</span></span>
     </div>
     <div class="formRow">
diff --git a/package.json b/package.json
index da47ac2b00cdb47275b04eab1f7fcfd2ca9f2cc7..8f82a3b5ff0b53c5ce605de19f16d98f02b64022 100644
--- a/package.json
+++ b/package.json
@@ -3,7 +3,8 @@
   , "version": "0.0.1"
   , "private": true
   , "dependencies": {
-      "express": "2.4.3"
+      "connect": "1.6.2"
+    , "express": "2.4.3"
     , "xml2js": "0.1.5"
     , "nodemailer": "0.1.18"
     , "mustache": "0.3.1-dev"
@@ -18,5 +19,11 @@
     , "connect-cookie-session" : "0.0.1"
     , "mysql" : "0.9.2"
     , "optimist" : "0.2.6"
+    , "qs" : "0.3.1"
+    , "mime" : "1.2.2"
+    , "pkginfo" : "0.2.2"
+    , "colors" : "0.5.0"
+    , "sax" : "0.2.3"
+    , "mimelib-noiconv" : "0.1.3"
   }
 }
diff --git a/scripts/merge_train.sh b/scripts/merge_train.sh
index 20ec64c9eb4e90fa7e5339fdc48149be79a874e4..9fafba6dcf7fef5aa648164a86ce91ef9d5a0186 100755
--- a/scripts/merge_train.sh
+++ b/scripts/merge_train.sh
@@ -5,15 +5,22 @@
 
 # get up to date!
 echo "Getting up to date:"
-get fetch origin
+git fetch origin
 
 # first, let's identify the train
 TRAIN=`git branch -a | grep remotes/origin/train | sed -e 's/^.*train-\(.*\)$/\1/' | sort -n | tail -1`
 echo "Merging train ($TRAIN) into production" 
 
-git checkout prod
+git checkout -B prod remotes/origin/prod
 git merge --no-ff remotes/origin/train-$TRAIN -m "integrating train $TRAIN"
-git branch -D train-$TRAIN
+
+# now delete the local train branch if it exists
+LOCAL_TRAIN_BRANCH=`git branch | fgrep train-$TRAIN`
+if [ "x${LOCAL_TRAIN_BRANCH}" == "xtrain-${TRAIN}" ] ; then
+    echo "deleting local branch: train-$TRAIN"
+    git branch -D train-$TRAIN
+fi
+
 git tag train-$TRAIN
 
 echo "All done!  Now you should delete the remote train, and push your changes"
diff --git a/verifier/lib/idassertion.js b/verifier/lib/idassertion.js
index 642d702e79016a62f511cbfbd52dd29b1f09a455..7a8a56021b901022f0c9774e99bcd6ad827fcb51 100644
--- a/verifier/lib/idassertion.js
+++ b/verifier/lib/idassertion.js
@@ -48,6 +48,9 @@ const url = require("url");
 const rsa = require("./rsa.js");
 const logger = require("../../libs/logging.js").logger;
 
+// configuration information to check the issuer
+const config = require("../../libs/configuration.js");
+
 var Webfinger = (function() {
 
   // contains domain to template string
@@ -309,6 +312,14 @@ IDAssertion.prototype  =
       return;
     }
 
+    // check that the issuer is just US for now, no other issuer
+    // FIXME: this will need to change for certs
+    var expected_issuer = config.get('hostname') + ':' + config.get('port');
+    if (payload.issuer != expected_issuer) {
+      onError("Issuer can only be ourselves for now, it should be: " + expected_issuer);
+      return;
+    }
+    
     // (if there was a certificate, we could verify it here)
     // but for now we will assume email-based lookup