train-2011.09.29:
  * shortly after dialog is spawned, we remove the four random chars in the fragment (aesthetic)
  * fix bug where session duration had an upper bound of 7 days - the time the server was running: #310
  * fix bug where a user could go longer than 1 week without re-authenticating: #309

train-2011.09.22:
  * migrate to browserid signed certificates rather than keypairs where browserid hosts the public key: https://github.com/mozilla/browserid/issues?milestone=6
  * IE9 support
  * partial IE8 support (not yet usable, several small remaining bugs, and abysmal performance)
  * development harness (./run.js) now respects an IP_ADDRESS env var to bind to a specific address (other than 127.0.0.1)
  * improved first-time development experience:  `git clone && cd browserid && npm install && npm run`
  * initial support for running locally under virtualbox via vagrant: issue #261 (thanks ozten!)
  * (fix 2011.09.23) fix race condition between relay iframe and window introduced with IE9 support.  issue #287
  * (fix 2011.09.23) fix blank popup on second sigin invocation in same session in FFX:  issue #286
  * (fix 2011.09.23) explicitly disable caching for /wsapi calls, prevents unwanted caching of CSRF and friends. issue #294

train-2011.09.01:
  * /ws_api/set_key always returns returns value instead of HTTP 204 response: #219
  * update javascript mvc to 3.1.0.
  * major interframe/window communication change using a hidden relay iframe to facilitate IE: #97(still open)
  * link colors on browserid.org are consistent: #227

train-2011.08.25:
  * created command line load generation tool and performance analysis work: #125
  * beginning unit/functional tests for front end: #183
  * front end refactor to facilitate unit/functional tests and UX iteration: #183
  * error messages are shown on front end: #184
  * users must now verify account ownership before attempting a key sync.
  * manage page date format: #191
  * manage page button only displayed if user is currently authenticated: #195
  * manage page emails are synced on page open: #181
  * wsapi_client created for clients needing programatic access to wsapi.
  * harden set_key against duplicate keys.
  * fix new email addresses added not being synced on client: #199
  * upgrade to bcrypt 0.2.4.
  * minify include.js by default: #206
  * more than one email address can be added per dialog lifespan: #215
  * verifyier no longer verifies assertions issued by another server.
  * (2011.08.31) no error message displayed if you try to authenticate with an invalid u/p: #222
	
train-2011.08.18:
  * upon clickthrough of the email link, don't have the browser window close itself: #162
  * passwords must be between 8 and 80 chars: #155
  * improved handling of emailing & verification urls during local development & testing: #88
  * language changes in dialog: #150
  * many improvements to unit tests: #171
  * forgotten password flow was broken with port to mysql, fixed: #170
  * improved metrics reporting abstraction: #168
  * moved all server logging into a single file: #169
  * all files created at execution time are now in one location:  #172	
  * developer ergonomics - improved colorized logging with terse webserver output to console
  * always require a user to authenticate if they don't have an active session: #74
  * improved CSRF protection to fix race conditions in previous train: #173
		
train-2011.08.12:
  * massive zero-user-visibile refactoring of dialog javascript.
  * fix cancel button in "waiting for verification state" (issue #147)
  * all browserid source is now tri-licensed (MPL1.1/GPL/LGPL). (issue #141)
  * fixes for mobile firefox (fennec).  (issue #140)
  * mysql support implemented for browserid (default persistence production) (issue #71)
  * json persistence support added - a standalone dead simple persistence layer which is the default for local development and requires no external software.
  * email secrets are now persisted in the database, so upon server restart outstanding verification links are no longer invalidated (issue #91)
  * (website) styling changes - like fix issues where links on dev page were being displayed white on white.
	
train-2011.08.04:
  * when user closes dialog without clicking "cancel", properly return 'null' to the webpage (via getVerifiedEmail callback) - issue #107
  * improve checks to warn developer that prerequisite software is missing. issue #110
  * parameterize software to support multiple deployment environments (dev/beta/prod) issues #102 & #52
  * documentation updates.
  * improved logging (using the winston logging framework for node.js)
  * [website] fixed inclusion of youtube video (now over https to keep browsers from getting scared about mixed mode resource inclusion)

train-1:
  * beginning of time, everything is new.
  * (2011.08.03) include youtube video embedding over https (issue #112)
  * (2011.08.04) fix mozillalabs.com link in dialog (issue #116)