This file documents all important changes. Please document all
important changes in this file and not only write a comment during
"cvs commit".

2004-Feb-xx:
        * automatic cleanup of PKCS#10 requests (multiple CR/LFs are removed)
        * OpenSSL::getPIN does not log output anymore
        * nCipher HSM module: timeouts are now configurable
        * modified lib/cmds/changeCSR: no longer accepts SubjectAltName
	  values without a non-empty SAN label tag
	* LunaCA3 related updates
	    - major update for OpenCA::Token::LunaCA3
	    - removed unecessary use of the CA token in crypto-utils.lib
	    - repaired hsmLogin and hsmLogut for HSMs in daemon mode
	    - startDaemon in OpenCA::Crypto repaired
	    - new code for stopDaemon in OpenCA:Crypto
	    - added KEYFORM parameter to OpenCA::OpenSSL
	* updateSearchAttributes tried to fix non-existent objects
	* loadConfigXML used with wrong parameters in basic_csr
	* when reading lib/cmds/ files initServer now enforces strict
	  checking and does not allow redefinition of perl functions
	  any longer (bug #1080565). On CVS head this will be fixed when
	  moving to the object oriented interface.
	  In this process some coding problems (typos in variable names)
	  were corrected.
	* fixed bug #1081655 (old @sendMailAutomatic@ must be
	  @send_mail_automatic@ in node.conf.in)
	* OpenCA::DBI
	    - fixed LC_MESSAGES usage (POSIX usage was not compatible
	      with perl 5.6.1)
	* added forgotten ModuleID to ldap.conf.in
	* fixed key conversion if private key of token is activated
	  (bug #1010690)
	* fixed bug #1069405 (crypto_is_unique_subject was renamed to
	  crypto_no_unique_subject incl. fixed usage)
	* fixed subjects of certificate and CRIN mails in
	  crypto-utils.lib
	* bugfix: removed extra space in SubjectAltNames in basic_csr and
	  and ldapCreateCSR
	* bugfix: fixed proposed filename in sendcert (IE download problem
	  for certain cert CNs)
2004-Oct-28:
	* 0.9.2.1
	* don't add an emailaddress from subject twice to the subject
	  alternative name
	* fixed linking of common.conf
	* Greek translation (el_GR) is now available
	* OpenCA::OpenSSL excludes RSA private keys from debug/log output
	* OpenCA::AC excludes passwords from debug/log output
	* fixed OpenCA::DBI module for Oracle database 'external 
	  authentication' (db_name and db_passwd are left blank in this case)
2004-Oct-11:
	* 0.9.2.0
	* fixed broken package builds
	    - added target __install_dir to Makefile.global-vars.in to
	      emulate "install -D"
	    - LN_S statements no longer contain $(DESTDIR) to avoid
	      problems with direct symlinks (bug #1039824)
	    - LN_S always replace by __install_ln_s
	    - introduced relative_ln_s.sh
	* bpIssueCertificate and bpRevokeCertificate are now available
	  at the CA interface too
	* fixed datatype handling in sendcert
	* uncommented confirm_revreq.xml in the makefile of
	  src/common/etc/rbac/cmds/ (bug #1035100)
	* moved xml_cache.log to LOG_DIR
	* using get_xpath_count instead of get_xpath to detect missing
	  elements in genMenu reduces the noise in xml_cache.log
	* added uid to CSR_SUPPORTED_ATTRIBUTES
	* bugfixes for crypto stuff
	    - only send encrypted PIN mails in crypto-utils.lib if
	      PUBKEY_ALGORITHM is RSA (bug #1031096)
	    - crypto_check_lifetime in crypto-utils.lib tolerate now an
	      empty role (from ldapCreateCSR in viewCSR)
	    - fixed weak default cipher in OpenCA::OpenSSL->genkey
	    - detect missing keysize for RSA or missing parameter file
	      for DSA in OpenCA:OpenSSL
	    - enabled debugging for Tokens if global debugging is
	      activated in OpenCA::Crypto
	    - unsecure RSA key lengths are now the last entries in lists
	    - fixed typo in OpenCA::OpenSSL::SMIME (setError --> _setError)
	* added new request type
	    - authentication against LDAP
	    - supports key generation with Mozillai
	    - supports keygeneration on MSIE
	    - supports key generation on server side
	    - uses data from LDAP
	    - OpenCA::LDAP->bind supports now DN and PASSWD
	* fixed typo in node.conf.in (update_ldap_automatic)
	* OpenBSD fixes
	    - adjustments for gcc 2.95.3 (see ocspd and openca-sv)
	    - fixed several (36) makefiles (removed GNU features)
	    - set RM in Makefile.global-vars.in
	    - removed src/web-interfaces/ra/htdocs/crl/Makefile
	* added en_GB to allow fixing typos after string freeze
	* OpenCA SV
	    - removed load_certs from apps.c
	    - cleanup of apps.h
	    - removal of e_os.h
	    - general.h is now safe against multiple includes
	    - fixed apps.c, sv.c and verify-crypto.c for compilers which
	      require all variable definitions at the beginning of a
	      block (gcc 2.95.3 in OpenBSD 3.5 for example)
	* OCSPD
	    - general.h is now safe against multiple includes
	    - OpenBSD is no GNU but supports semaphores (general.h)
	    - resolv.conf requires netinet/in.h and sys/socket.h
	* splitted error message for missing parameters into one message
	  per parameter in OpenCA::DBI
	* i18n stuff
	    - updated openca.pot and openca.po files
	    - fixed algorithm to get cmds (common/lib/locale/files)
	    - added some new patterns to remove_perl.pl
	* fixed content-type application/x-pki-message
	* fixed ACL
	    - module initialization allowed for CA now too
	    - csr edit allowed for CA now too
	    - more robust logout in OpenCA::AC
	    - removed ca_cert from acl_config (unused)
	* fixed DSA support
	    - added parameter generation
	    - fixed parameters for openssl gendsa
	    - fixed login in OpenCA::Token::OpenSSL (bug #1026531)
2004-Sep-07:
	* fixed security bugfix for CAN-2004-0787 (openca_0_9_1 too)
	* allow the CA to initialize the database
	* avoid passing logout as a value of cmd trough OpenCA::AC
	* added DirName support for subject alt names
	* use DirName in subject alt name as distinguished name in
	  OpenCA::LDAP->add_object
	* i18n stuff (mainly Janez Pirc)
	    - fixed next cmds
	    - updated openca.po for sl_SI
	    - i18n.xml updated for sl_SI
	    - added support for translation of timestamps
2004-Sep-06:
	* fixed Cross Site Scripting vulnerability (CAN-2004-0787)
	  (openca_0_9_1 too)
	* no longer create RDNs without an attribute name during
	  changeCSR (bug #1020461)
	* fixed usage of CA cert
	    - removed signatures from role and CRIN of a cert
	    - fixed key usage of CA cert (bug #1020876)
	* fixed incompatibility with Perl 5.6.1 in initCGI and
	  initServer by Christopher Bongaarts (bug #1020671)
	* fixed bug #1020499:
	    - remove 'email' and 'mail' attributes when adding CA certs 
	      to LDAP directory
	    - removed mail from ldap.xml if last RDN is no mail address
	* fixed memory leaks
	    - added Apache::Leak to bpDoFunction for debugging
	    - fixed function debug in OpenCA::Token::OpenSSL
	    - added a function _cleanup to OpenCA::XML::Cache
	    - fixed function debug in OpenCA::Log
	    - fixed function debug in OpenCA::Log::Message
	    - fixed function debug in OpenCA::Logger::Syslog
	    - fixed function debug in OpenCA::Crypto
	* fixed bug #1014975
	    - added -optional to several input fields in basic_csr
	    - OpenCA::TRIStateCGI supports the new flag -optional now
	* fixed minimum length of IP addresses in CA and public config
	* fixed OpenCA::X509 cert extension parsing (bug #1017584)
	* fixed hardcoded path for BP_EXPORT_PKCS12_DIR in node.conf.in
	* i18n fixes
	    - added sl_SI from Janez Pirc
	    - several missing gettext fixed in cmds by Janez Pirc
	    - fixed ieEnroll.js in fr_FR (bug #1012204)
	    - signForm.vbs need conversion from unicode to ascii to work
	      properly with openca-sv because page content is unicode
	      encoded by default (Julio D'Angelo)
	    - fixed wrong comments (starting with // instead of ') in
	      de_DE/signForm.vbs (Julio D'Angelo)
	* do not try to remove dataexchange commits if openca performs
	  a recovery import (bug #1013501)
	* added test target to makefiles of ocspd and scep
	* access control (OpenCA::AC)
	    - added method for external user authentication incl.
	      documentation (Martin Bartosch)
	    - added function getUser
	    - removed implicit access control via lib/servers/*/cmds
	    - removed lib/servers completely
	    - removed all directories src/web-interfaces/*/cmds
            - removed all directories src/web-interfaces/*/functions
	    - created a real default acl.xml with correct module IDs
	    - ACL deactivation means now access to all OpenCA functions
	    - all commands are now loaded at startup in initServer
	    - function libLoadCommand was removed from misc-utils.lib
	    - updated OpenCA guide
	    - access control including configuration is now cached
	    - store the challenge of the X.509 login on serverside
	* added "+" as special character for attribute values in
	  distinguished names to basic_csr (bug #1011396)
	* removed additional "{" from verifySignature (bug #1011418)
	* OpenCA::OpenSSL issues
	    - added wrapper to openca-sv sign and decrypt too
	    - fixed getPIN (using substr instead of sprintf)
	    - removed traling = from PIN
	    - fixed errordetection of decrypt
	* batch system
	    - added forgotten bpImportProcessDataCompact.xml
	    - added better errordetection for key loading in bpDoStep
	* huge nCipher patch (Martin Bartosch)
	    - updated OpenCA::Token::nCipher
	    - updated documentation
	    - updated example configuration
	* CRL numbering
	    - all CRLs have now serials by default (openssl.cnf)
	    - OpenCA::CRL->getSerial returns only a digest now if there
	      is no serial in the CRL present
	    - added file var/crypto/crlnumber
	* added howto and a link to the live CD from Kevin Mitcham 
	* removing trailing spaces if there is a list of values for a
	  configuration option in OpenCA::Configuration (Damon Smith)
	* removed an unnecessary zero after recovery of OpenSSL's
	  serial file in crypto-utils.lib (bug #1007255)
	* mail handling (bug #972741)
	    - fixed mail suffix handling in eximDownloadMail
	    - fixed suffix of DBM files in mail-utils.lib
	    - created new function initTools in initServer
	    - added DEBUG switch to OpenCA::Tools
	    - detect invalid SRC in OpenCA::Tools->copyFiles
	* openca_rc start detects now errors on startup
	* fixed regex in OpenCA::REQ to split subject alt name
	  correctly for emailaddress extraction (bug #995112)
	* bug fixes for DBI
	    - added support for namespaces including db_namespace in
	      config.xml.in
	    - the SQL table initialization code can now be displayed
	    - rewrite the functions set_error, errno and errval
	    - added correct error handling of DBI->connect in initServer
	    - added environment for Oracle to DBI.conf
	    - fixed OpenCA::DBI because the prepare statement with
	      Oracle returns undef if tables or views are not present
	* SPEC file cleanup (removal of all SPEC files from source tree)
	    - removed SPEC files and build-rpm.sh from openca-0.9/src
	    - removed openca-0.9/contrib/rpm
	    - SPEC files and build-rpm.sh removed from configure.in
	      files in openca-0.9 (bug #1004616)
	* removing trailing or leading garbage from PKCS#10 requests in
	  pkcs10_req (bug #1003718)
	* OpenCA SV related stuff
	    - if the key usage is available then openca-sv checks now the
	      key usage for the signing bit before signing (bug #1011523)
	    - massive cleanup in apps.c of OpenCA SV (removed UI stuff)
	* added support for notbefore and notafter in requests via
	  the already existing CHANGE_DAYS option (RFE #1001988)
2004-Aug-03:
	* 0.9.2 RC6
	* fixes for OpenCA-SV and OpenSC
	    - openca-sv detects dynamic engine now automatically
	    - OpenCA::OpenSSL filters PINs before it outputs debugging
	      infos
	    - fixed output filtering via callback in OpenCA::OpenSSL
	    - correct initialization of the key status in
	      OpenCA::Token::OpenSC
	    - better verbose messages in openca-sv to detect private key
	      problems
	* fixed CSR listing if LOA is "All" (bug #1001877)
	* fixed loss of LOA in pkcs10_req (bug #1001898)
	* fixed Makefile.global_vars.in to support DESTDIR of Debian
	* fixed output handling in OpenCA::OpenSSL to handle the usage
	  of engines for all commands
	* fixed wrong permissions because of an implicit database
	  initialization in OpenCA::DB during new (bug #1000426)
2004-Jul-30
	* usage of loa can now be set in config.xml
	  default: yes
	* added loa support for scep requests (bug #998661)
	* fixed mailimport and sending behavior, now uses databases (bug #972741)
	    - two seppared databases are used
            - the (already available) exim-db for deciding if
	      new mails should be imported (saves copy operations)
	    - one db per maildir to decide to send available mails (if new) or not
	    - no mails are deleted at current state of implementation
	      (this is not to brake the send-crin-mail by id again functionality
	       at the node interface: menu->utilities->send a CRIN-Mail)
	* fixed the dataexchange
	    - commits will be exchanged now incremental too
	    - different DBM versions no longer matter (bug #982749)
	* fix emailhandling in CSRs and certs (bug #995112)
	    - fixed email displaying in viewCSR
	    - fixed subject alt name builing in viewCSR
	    - extended crypto_get_csr_subject with explicit CERT_SERIAL
	    - OpenCA::REQ supports now getParsed()->{EMAILADDRESSES}
	    - OpenCA::DBI uses now $obj->getParsed()->{EMAILADDRESSES}
	* basic_csr
	    - use strict
	    - fixed removal of tempfiles
	    - fixed displaying of subject alt name
	    - fixed displaying of subject
	* all objects loaded from the databases support now getStatus
	* fixed timing problems in 1.t of OpenCA::XML::Cache
	* updated Convert::ASN1 (bug #990992)
	* fixed several RFC2253 incompatibilies
	    - basic_csr regex in basic_csr_buildDN
	    - basic_csr regex for SPKAC handling
	* added strategy appendix
	* updated user guide documents
	* added missing bpImportProcessDataCompact.xml
	* UI changes
	    - use the browser-based language detection only once (bug #998508)
	    - added hex-serial-numbers as addition to dec-numbers for lists
	      and cert-view  
	    - interfacelanguage get set through browsersupported languages
	      change through interface still possible
	    - removed PINs from errormessages of OpenSSL.pm (bug #993697)
	    - renewCSR copies now additional attributes (bug #994524)
	    - renewCSR copies now an existing LOA (bug #993669)
	    - changed detection of encoding in initEncodings
	    - fixed focus handling and repair IE stuff with this
	* signature verification
  	    - stop approving of requests in case of error in
              signature verification
	    - added verification of approving certificates
	    - added error for expired certificates too
	      maybe changed in future, but necessary to prevent
	      expired certs from signing requests   
	    - checking the certificate state now (bug #991142)
	    - fixed role verification in bpIssueCertificate (bug #989369)
	    - fixed text to sign in confirm_revreq (\n --> \r\n)
	    - head will be signed in confirm_revreq (bug #991134)
	    - signed user CRRs will no longer be changed (bug #991134)
	    - create new CRR if user CRR was signed (bug #991134)
	    - fixed detection of cert state in submit_revreq
	    - extended viewCRR with cert and USER_CRR references
	    - fixed getSignature in REQ.pm to be used as normal function
	* fixed use-statements for setlocale in OpenCA::OpenSSL
	  (bug #989366)
	* do not check the role of a CA certificate any longer in
	  OpenCA::AC if the datatype is CERTIFICATE (bug #981787)
	* copied changes from bpIssueCertificate to bpRevokeCertificate to
	  fix several problems (bug #990126)
2004-Jul-09:
	* security fix for bug #974063 (passphrases were logged)
	* set serial and subject in CRIN mails (RFE #984093)
	    - added replacement code in crypto-utils.lib
	    - added serial and subject to PIN mails of C and de_DE
	* fixed wrong subject alt name in template sample_openssl.ext.in
	  which is used for new roles (bug #987231)
	* the cursor is now in the first input field (RFE #978958)
	* fixed incremental dataexchange (bug #982749)
	    - dataexchange of objects is now managed via DBM files 
	    - files have now the suffix .dbm and not .log
	    - mails are now handled by eximSetImported too
	    - fixed the checks of the return status of DB_File->get
	    - fixed checks of DB_File->put like for get (bug #987821)
	* encoding related fixes
	    - fixed setLanguage in initServer to tolerate more Perl
	      installations like on FreeBSD and Slackware
	    - added function initEncodings in initServer to detect
	      different formatted encodings
	    - fixed encoding in XML log messages (bug #974686)
	    - fixed regex for MIXED in OpenCA::TRIStateCGI again
	    - added option for characterset of fields in basic_csr
	    - added encoding to S/MIME mails in SMIME.pm (bug #984072)
	    - send info mail for new cert with encoding - see
	      crypto_send_info_mail in crypto-utils.lib (bug #984072)
	* fixed bug #983310 (wrong use of RAW certificates)
	* fixed wrong handling of certs with more then on emailaddress
	    - OpenCA::X509 returns in EMAILADDRESS now only one address
	    - OpenCA::X509 reutrns in EMAILADDRESSES all addresses
	    - OpenCA::OpenSSL->getSMIME can handle now CC
	    - crypto_add_pin_to_header in crypto-utils.lib sets CC now
	    - viewCerts uses EMAILADDRESSES now
	    - lists uses EMAILADDRESSES now
	    - fixed bugs #984122 and 984144
	* fixed typo (port) in Syslog.pm (Nuno Ricardo Gomes Antunes)
	* added support for nCipher HSMs by Martin Bartosch
	* fixed typo in pkcs10_req (bug #984196)
	* signature verification
	    - added detection of wrong digest to openca-sv
	    - aggressive errordetection for verify in OpenCA::OpenSSL
	    - added better errordetection to viewSignature
	    - fixed output of attached data from signature at openca-sv
	    - fixed OpenCA::UI::HTML (always send CRLF in variable text)
	    - better error message from verifySignature
	    - fixed infos from https in test_cert (bug #983525)
	    - signatures of roles and PINs include now the data
	    - verifySignature compensate added \r (CR) from browsers
	    - verifySignature works now with CA certs as signer too
	    - fixed errordetection in OpenCA::OpenSSL->pkcs7Certs
	    - fixed errordetection in OpenCA::PKCS7->getParsed
	    - added support for CA cert as signer in crypto-utils.lib
	      function libGetSignerCertificateDB
	    - added manual verification of cert's role and PIN
	    - added "SET NAME 'charset'" to OpenCA::DBI init
	    - fixed crypto-utils.lib for correct pst of HEADER and BODY
	      of objects (CRLF and not LF must be used)
	    - fixed extraction of BODY in REQ.pm
	    - splitted listReqs into listCSR and listCRR
	* remove Makefiles in src/modules/* if "make clean" fails
	  because of wrong timestamps on the directories (bug #978827)
	* better collection of emailadresses in viewCSR (bug #973280)
	* fixed wrong usage of get_xpath_count in batch functions
	  check_csr and check_csr_params (bug #976605)
	* fixed displayed minimum PIN length in basic_csr (bug #976730)
	* fixed handling of empty arrays if searching for (non-existing)
	  levels (bug #974808)
	* activated old code to export and import the role dependend
	  OpenSSL config (bug #973968)
	* added DES support to openca-scep (from Christian W. Pohl
	  <pohl@secaron.de>)
	* load the LDAP stuff always
	* new script remove_perl.pl to remove Perl stuff from pot files
2004-Jun-14:
	* 0.9.2 RC5
	* command loading detects now syntax problems
	* added lifetime checks to:
	    - editCSR
	    - viewCSR
	    - changeCSR
	    - approveCSR and approveCSRnotSigned
	* fixed SUBJECT_ALT_NAME_* handling in bpImportProcessData
	* added [ and ] to regex for MIXED in OpenCA::TRIStateCGI
2004-Jun-13:
	* using DN_TYPES now to control getStaticPage output
	* fixed bindir in config.xml
	* OpenCA::DBI
	    - fixed getNextItem
	    - better handling of execute errors
	    - fixed ordering of listItems
	* private key handling for server side keygeneration
	    - fixed key removal during certificate enrollment
	    - fixed key removal from request during certificate issuing
	* added stdout callback to OpenCA::Token::OpenSC
2004-Jun-11:
	* removed show scripts from the CA interface
	* rights can be viewed again
	* fixed session (cookie) cleanup
	* created central debugging switch in log.xml
	* fixed double or tripple errormessages
	* removed nodeEnrollConfig from CA
	* respect already generated CA keys and certificates
	* re-added submenu for CRLs (in information tab)
	* added module ID for web-interface batch
	* removed FORCE mode from cmds/genDB for OpenCA::DB
	* added htdocs/batch to configure_ets.sh (tomichael)
	* fixed OpenCA::XML::Cache for better logging and debugging
	* fixed OpenCA::Log to reduce the noise in var/tmp/xml_cache.log
	* basic_csr can handle now empty fields in the CSR subject
	* bugfix for wrong symlinks in webinterfaces/*/cmds/Makefile
	* OpenCA::Token::OpenSC
	    - key generation works (with carddriver flex)
	    - card initialization integrated into key generation
	    - dynamic OpenSSL engine integrated into OpencA::OpenSSL
	    - added example to token.xml
	    - request generation works (including patch for engine
	      pkcs11 of OpenSC)
	    - added PIN handling to OpenCA::OpenSSL
	    - fixed OpenCA::OpenSSL::SMIME for dynamic openssl engines
	* several fixes for OpenCA::Crypto (better errordetection)
2004-Jun-06:
        * fixed viewCRR for signing CRRs
	* updated bpDoStep from 11 to 16 steps
	* fixed editCSR related to subject alt names in basic_csr
	* fixed basic_csr to support empty subject alt name
	* fixed bugs in new execution system of OpenCA::OpenSSL
	* fixed typos in OpenCA::OpenSSL::SMIME
	* fixed several configuration issues
2004-Jun-05:
	* support for subject alt name in basic_csr
	* integration of individual certificate lifetimes
	* redirected STDERR to var/log/stderr.log from etc/log.xml
	    - changed the debugging of OpenCA::DBI
	    - centralized debugging in OpenCA::OpenSSL (incl. SMIME)
	    - added debug function to misc-utils.lib
	* fixed typo in OpenCA::Configuration
	* fixed order of initialized global variables
	* fixed errordetection for corrupted commands
	* added logging for normal commands
	* several OCSP improvements
	    - Fixed compilation problems on Solaris
	    - Added support for exclusion of ldap usage
	      (--disable-openldap)
	    - Added support for openldap directory specification
	    - Fixed signal handling and correct children death
	* several fixes for the XML generation in OpenCA::Log::Message
	* added recovery for index databases of XML logging module
	* created new web interface batch
	* OpenSSL engine support
	    - option ENGINE is now only supported by new and setParams
	    - cleanup configuration
	    - fixed bug #961480, #961558, #961571 and #961593
	    - "-keyform e" is now present for the correct commands only
	    - replaced "#ifdef OPENSSL_ENGINE" by
	      "#ifndef OPENSSL_NO_ENGINE" in openca-sv
	    - OpenCA::Crypto supports multivalued parameters
	    - centralized OpenSSL command execution for dynamic engine
	      support
	    - openca-sv supports now -pre and -post for dynamic engines
	    - reorganized openca-sv
	* added support for "make test"
	    - lib/bp
	    - lib/cmds
	    - lib/functions
	    - modules
	    - openca-sv
	* several "make test" related bugfixes to OpenCA::X509,
	  OpenCA::DB, OpenCA::DBI, OpenCA::XML::Cache, OpenCA::OpenSSL
2004-May-10:
	* XML cache improvements
	    - OpenCA::AC displays better error messages on XML problems
	    - XML cache will be checked on startup
	    - better error messages and detection for OpenCA::XML::Cache
	* support for an OpenSSL wrapper added (needed by nCipher)
	* always use UTC and not localtime (OpenCA::UI::HTML)
	* added support for "mail" and "uid" to ldap.xml
	* renamed LDAP commands to prefix "ldap"
	* fixed adding of CRLs and certs with changed names to LDAP
	  (javascript variables used without ".value")
	* better export of binary certificates with sendcert (Ed Eden)
	* fixed creation of new revocation on public interface
	  (Sebastien Poggi)
	* dataexchange devices are now configurable via config.xml
	* fixed generation of CRIN-E-Mail (Sebastien Poggi)
	* added Japanes translation
	* merged makefiles of src/common/lib/locale/*_* to
	  src/common/lib/locale
	* small fix for the output of listReqs
2004-Apr-16:
	* 0.9.2 RC4
	* changed doc/guide/Makefile to support Apache FOP 0.20.5
	* better handling of user and group for XML cache
	* fixed make test in OpenCA::OpenSSL and OpenCA::StateMachine
	* added javascripts to all interfaces except of scep to
	  generally support X.509 based authentication
	* added PIN verification during RA approval process
	* fixed a session caching problem for AC
	* fixed paths to openca-sv for use with configure --exec-prefix
	* fixed channel verification of access control
	* fixed X.509 Login Auth
	* added missing rbac-config file for Cleanup Sessions
	* fixed syntax error in viewCRR (Michael Portz)
	* added commented SmartcardUser template to User.ext
	* fixed the creation of a new CRR on the RA interface
2004-Mar-19:
	* added i18n support to the batch functions
	* fixed user interface of batch system
	    - pkcs#12 enrollment works now
	* fixed initial CRR creation (confirm_revreq useless now?)
2004-Mar-18:
	* fixed wrong i18n initialization of access control module
	* fixed certificate enrollment for IE in ieEnroll.js and
	  OpenCA::UI::HTML
	* removed private key check from workflow_create_pin
	* added private key check to workflow_backup_key
	* fixed user interface of batch system
	    - listing of processes
	    - view process data
	    - keyrecovery for pure private key
	    - keyrecovery for private key and certificate
	    - set and unset states
	    - single execution of a batch function
	    - pin enrollment works now
2004-Mar-12:
	* fixed mail sending for RA
	    - removed mailsendername and mailsenderaddress
	    - mail-utils.lib now strict
	    - fixed writeCertMail
	* added roles to normal accounts
	* role mapping activated by default
	* added appendix for references
	* removed static HTML pages for CA certificate and CRL download
	* some fixes for openca.pot
	* OpenCA::AC now fully translatable
	* dynamic linking of common.conf by openca_start
	* added mail-utils.lib to initServer
	* added support for the subject alternative name attributes
	  MS_UPN and MS_GUID
	* fixed docs for Microsoft's othername usage
	* added role Domain Controller
2004-Mar-03:
	* 0.9.2 RC3
	* added support for more flexible subject alternative names
	  (including support for Microsoft domain controllers)
	* better automatic string extraction
	* added otherName to the available subject alternative name
	  attributes to support OpenSSL 0.9.8 and Mircosoft
2004-Mar-01
	* fixed initialization parameter DEFAULT_TOKEN in OpenCA::Crypto
	* fixed initialization of OpenCA::OpenSSL::SMIME in function
	  getSMIME of OpenCA::OpenSSL
	* fixed datatype in genCRLfromFile
	* next updates for openca.pot
	* fixed output of LDAP.pm
2004-Feb-25
	* switched de_DE to native characters with ISO 8859-1 encoding
	* integrated strings from all modules in openca.pot
	* OpenCA::Logger::XML is now safe against process scheduling
	* prepared all Perl modules except of XML cache for translation
	* OpenCA::UI::HTML has native i18n support (based libintl-perl)
2004-Feb-20:
	* fixed bpIssueCertificate for token concept
	* fixed potential endless loop during export
	* fixed passphrase protected key download from pub
	* fixed recovery code for not used serials
	* fixed next serial after recovery
2004-Feb-19
	* 0.9.1.8
	* fixed reversed subjects after recovery of OpenSSL's index.txt
	  (openca_0_9_1 too)
	* fixed SCEP detection
	* added pkiclient.exe link to handle configuration errors and
	  stupid SCEP clients
	* added CRLDir to scep.conf
	* added default section to LDAP schema definitions in ldap.xml
2004-Feb-18
	* fixed CSR generation and signing for Internet Explorer
	* added LOG token to token.xml
	* moved core LDAP code to OpenCA::LDAP
	* moved LDAP schema specification from source code into ldap.xml
	* fixes for pl_PL
2004-Feb-13
	* centralize the printing of the content type
	* number of steps of the batch system can now be specified
	* fixed reference links on lists
	* fixed status displayed by listCerts
	* fixed errormessage "unable to write 'random state'" during
	  certificate issuing (added configuration option RANDFILE to
	  token.xml because "openssl smime" needs the environment
	  variables RANDFILE or HOME to determine a writeable randfile)
	* splitted libIssueCertificate into several smaller functions
	* functions for batch system:
	   - backup_key
	   - check_csr_params
	   - create_csr
	   - complete_csr
	   - check_csr
	   - create_cert
	* added backup_key to the functions for the batch system
	* fixed conversion bug in OpenCA::OpenSSL
	* token login displays now the token name
	* removed naming-utils.lib
	* module MIME::Base64 no longer needed
	* module MIME::Tools added to dependency list
2004-Feb-05
	* fixed used certificate for OpenCA::OpenSSL->encrypt
	* fixed pin and key generation for batch system
	* fixed detection of keybackup key during installation
2004-Feb-04:
	* added Polish (pl_PL) from F.Lewenda
	* added support for different encodings
	* moved from Locale::gettext to libintl-perl (required to easily
	  support different encodings)
	* removed wrong documentation from src/scep/docs
	* functions for batch system:
	   - check_key_params
	   - create_key
	   - check_key
	* fixed crypto token initialization and configuration
	* fixed OpenCA::OpenSSL->encrypt
	* initServer waits for one second after the XML cache
	  intialization to avoid errors during openca_start
	* fixed CA-certificate lists on ldap interface in menu.xml
	* fixed error messages for LDAP actions
	* serverInfo uses now the normal output system
2004-Feb-02
	* 0.9.2 RC2
	* small change in Makefile.devel for SuSE packaging
	* fix for CRIN supported by the user during CSR generation
	  (openca_0_9_1 too)
2004-Jan-30:
	* fixed wrong OS detection in src/scep/configure.in
	* API of batch system fixed
	* functions for batch system:
	   - create_pin
	   - check_pin
	* replaced SignPath and VerifyPath by OpenCA_SV_Path
	* using now openca-sv in OpenCA::OpenSSL
	* added encrypt and decrypt to OpenCA::OpenSSL
	* OpenCA::AC tolerates now empty passphrases
2004-Jan-27:
	* next cleanup for the autotools
2004-Jan-26:
	* fixed initialization of node
	* fixe documentation for node initialization and module conflicts
	* core components of new batch system work
2004-Jan-20:
	* next fixes for the makefiles to complete the use of openssl_cflags
	  and openssl_lib instead of OPENSSL_PREFIX
	* openca.pot updated for 0.9.2 translations
	* next fixes for second batchprocessor generation
	* SecClab plugin works
	* added forgotten hidden field signature to viewCSR
	* better errormessage for cert and key enrollment
2004-Jan-16:
	* 0.9.1.7
	* fixes for pkgconfig and better openssl detection by Rob Thorne
	* OpenCA finally compilable for Debian packaging by Alessandro Razeto
	* added add_role to show_roles
	* fixed docs for PostgreSQL
	* the correct certificate in a chain must be located via a complete
	  comparison and not only a serial match in crypto-utils.lib
	  (security advisory CAN-2004-0004 issued) (openca_0_9_1 too)
2004-Jan-14
	* OpenCA::Statemachine replaces old batchprocessors
	* etc/servers/common.conf will only be created from node.conf
2004-Jan-09:
	* CRL numbering by timestamp
	* display submit date with viewCSR
	* added HtdocsUrlPrefix to scep.conf to support single SCEP gateways
	* added runlevel control file openca_rc
	* added configure option --disable-external-modules
	* fixed the detection of linux in src/openca-sv/configure.in and
          src/ocspd/configure.in
	* now logging CGI params too
	* fixed basic_csr final message for usage on CA interface
	* fixed symlink for common.conf in all src/web-interfaces/*/Makefiles
	* some memory BIOs in OpenSSL.xs were not correctly initialized and
	  data blocks longer than 1024 bytes were not read correctly - as a
	  result all certificates with long keys like 4096 bit work now
	  (bug found and fixed by Albert Novak <albert.novak@pu.CARNet.hr>)
	* added Makefile.devel with all static development stuff (cleanup
	  of all the autotool stuff)
2003-Dec-19:
	* 0.9.1.6
	* fixed LDAP code to support certificates without an emailaddress
	  (openca_0_9_1 too)
	* small fix in basic_csr to detect empty passphrases correctly
	* fixed OpenCA::DB because of sequence problems after wrong state
	  detection
	* added first support for SecClab plugin
	* removed approve CSR buttons from CA interface
	* fixed renewal button in viewCSR
	* fixed wrong socket file position of XML cache
2003-Dec-18:
	* XML logging mechanism fixed for searching
	* access control adds the session ID to the log message during login too
	* looks like the keys of DBM files are too short for our log IDs
2003-Dec-16:
	* documentation update
	* --with-hierarchy-level was removed from configure and the different
          options were added to config.xml. ./configure without options should
          work now. New packages from distros should now be fully usable.
	* fixed src/web-interfaces/scep/functions/Makefile to support all
	  libraries (necessary for initServer)
	* upgraded Net::Server to 0.86 to fix some daemon problems with setuid
	  and FreeBSD
	* documentation available as chunked HTML version
2003-Dec-10:
	* 0.9.1.5
	* moved PEMCACert to CACertificate (openca_0_9_1 too)
	* CACertificate always cacert.pem (openca_0_9_1 too)
	* removed illegal configure file from it_IT (openca_0_9_1 only)
2003-Dec-05:
	* 0.9.2 RC1
	* fixed some unclean Perl stuff which will be rejected by Perl 5.8.1
	  (openca_start and initServer)
2003-Nov-27:
	* 0.9.1.4
	* changes for support of multivalued RDNs in OpenCA::X509, changeCSR
	* additional patches for the signature verification - crypto-utils.lib,
	  verifySignature and viewSignature are affected (openca_0_9_1 too)
	* fixed wrong javascript form reference in test_cert and confirm_revreq
	* fixed signature verification of role in sub CAs in bpIssueCertificate
	  and OpenCA::PKCS7 (openca_0_9_1 too)
2003-Nov-25:
	* fixed three bugs in crypto-utils.lib and OpenCA::PKCS7 which corrupt
	  the signature verification - the serial of a CA certificate was
	  sometimes used to load and check the certificate which was used to
	  sign the data
	  (security advisory CAN-2003-0960 issued) (openca_0_9_1 too)
	* added support for multivalued RDNs
2003-Nov-24:
	* created OpenCA::UI::HTML
	* OpenCA is now a server via Net::Server (use etc/openca_start)
	* fixed wrong errors (means the error which is detected is not an
	  error) which take place if renewed requests will be edited
	* fixed errormessage if the loading of code fails from Ronny Standtke
	  <standtke@swiss-it.ch>
	* setParams no longer stores CGISESSID in html pages
	* removed name="submit" from all html input fields (Mozilla has a
	  problem with fields with the name submit)
	* better errormessage for empty database passphrases
	* fixed umask problem in XML::Cache
	* added USER_AGENT and REQUEST_METHOD to transfered parameters
	* automatical file upload on Apache in initCGI
	* output of issueCertificate fixed
	* set some forgotten "$DEBUG = 1;" statements to 0
	* added to, from and subject to the plain text message at getSMIME in
	  OpenCA::OpenSSL
	* verifySignature adapted to 0.9.2
	* fixed handling of ADDITIONAL_ATTRIBUTEs in pkcs10_req
	* fixed issueCert in OpenCA::OpenSSL for multivalued RDNs
	* detect empty SPKAC in basic_csr
2003-Sep-22:
	* updated genMen command to the new menu look
	* fixed and error in the libSendReply command (missing <form> tag)
	* next fixes related to the initialization
2003-Sep-19:
	* fixed -minlen in basic_csr (allowing empty ATTRIBUTE_* fields)
	* fixed overwritten CA key pair generation on CA init page
	* initDBI uses now a XML configuration file
2003-Sep-18:
	* fixed infinite loop in exist mode for base dn in pkcs10_req
	* updated the output of basic_csr
	* added forgotten SIGN_FORM to viewCSR and viewCRR
	* added caching of database handles to OpenCA::Logger::XML
	* OpenCA::XML::Cache
	* OpenCA::Crypto and OpenCA::Log support xml cache
	* added Time::HiRes based performance accounting
	* fixed parameter handling in getParams
2003-Aug-20:
	* 0.9.1.3
	* SECURITY BUGFIX: configurationfiles of the servers has now permission
	  640, owner openca_user and group httpd_group to protect the private
	  content like ldap passphrases (openca_0_9_1 too)
	* removed hex conversion of serial from OpenCA::X509
2003-Aug-18:
        * updated stylesheets
        * i18n
            * every language available on every interface
            * moved --with-language to default_language in config.xml
            * one default language per interface
            * openca.po, javascript and mails must be translated now
	    * moved all single quotes to double quotes (!!! never use single
	      quotes for strings which must be translated !!!)
        * OpenCA::Session extracted from OpenCA::AC
2003-Aug-12:
	* added default.css to all sheets and defined first classes
	* easier stylesheet configuration for genMenu
	* corners of the menu are now white and color neutral (transparent)
	* F-Secure VPN+ 5.43 talks with our SCEP
	* removed all sheets
	* centralized prepared mails
2003-Jul-31:
	* fixed empty states during dataexchange of objects in export-import.lib
	  (openca_0_9_1 too)
	* CSS support for menu generation
	* fixed csr-utils.lib to compensate removed variables in pkcs10_req
	* all subdirectories below i18n/C were installed twice
	* added support for unstructuredName and unstructuredAddress for SCEP
	* fixed "make test" for OpenCA::OpenSSL
	* fixed SPKAC in OpenSSL.xs
	* simplified the CGI scripts by centralization of source code (now there
	  is one initCGI for all interfaces)
	* javascript cleanup (only signForm and IE request and certificate
	  handling remain)
	* new options for basic_csr:
	    - *_ELEMENT_*_REQUIRED
	    - *_ELEMENT_*_MINIMUM_LENGTH
	     *_ELEMENT_*_XML_FILE
	     *_ELEMENT_*_XML_PATH
	* replaced most tests -f in makefiles with -e (openca_0_9_1 too)
	* major regex bugfix from Lyle Winton (winton@physics.unimelb.edu.au)
	* removed all subject related enforcements from OpenSSL configuration
	* NetScreen ScreenOS 4 tested with SCEP code
2003-Jul-15:
	* CRL enrollment
	* better extensions for mail servers (now they have client and server
	  extensions
	* several small fixes for cleaned up export-import.lib
	* added support for mailaddresses in ldap-utils.lib for every possible
	  objectclass (openca_0_9_1 too)
2003-Jul-03:
	* better seperated additional attributes in basic_csr
	* rebuildChain in interface of node
	* i18n for menu.xml (openca-extra.pot)
	* introduced default.css
	* fixed addCRR and viewCRR
	* cleaned up htdocs areas
2003-Jul-02:
	* OpenCA::DBI fixed for CA certificates (openca_0_9_1 too)
	* OpenCA::AC fixed for serial of CA certificates
	* several fixes for export-import.lib
	* cleanup of OpenCA::DBI (no longer extra logs)
	* unified backup and recovery for DB and DBI
2003-Jul-01:
	* 0.9.1.2 and snapshot of CVS HEAD
	* ca-openssl.cnf --> openssl.cnf
	* genCRLfromFile includes revoked certificates now
	* added search for requests
	* added full flexible CDPs to config.xml
	* new states for CSR and CRR
2003-Jun-11:
	* third pre-release of 0.9.1.2 and snapshot of CVS HEAD
	* fixed bug related to verification of pubkey (SECURITY BUG)
	    - not UNIQUE_DN must be allowed
	    - option deactivates pubkey verification
	* fixed lost datatype in removeKey from Venki
	  <a_venkatesh79@yahoo.co.uk> (openca_0_9_1 too)
	* added structure for docbook based documentation (don't integrate
	  the makefiles in the make structure of OpenCA, not everybody
	  has XSLT tools)
	* fixed inconsistency in interface management
	    - some links were managed by moduletype (view*)
	    - some links were in sheets/inc
	    - new option CmdRefs_viewCSR etc.
	    - all links and buttons in the table
	    - script can now be configured in the normal conf-file
	* fixed inconsistency in session management (SECURITY_BUG)
	    - login per interface
	    - session (cookie) valid for every interface!!!
	* fixed conversion of CA-cert in genCACert from PEM to TXT (found by
	  Stefan Dietiker <dietiste@zhwin.ch>) (openca_0_9_1 too)
	* added again some session flushs to OpenCA::AC - now it works
	* removed several unused file in the CVS HEAD
	* updated Perl modules
	* ldap fixes in ldap-utils.lib (openca_0_9_1 too):
	    - wrong regex which creates wrong attribute values for the suffix
	    - wrong LDAP objectclass stacks
	    - duplicate mail entries for one cert
	    - emailaddress for certs with serialNumber and correct objectclass
	      stack
	    - new objectclass uniquelyIdentifiedUser from "Entrust Directory
	      Schema Requirements for Entrust 6.0"
	* ieCSR.vbs supports now 512, 1024 and 2048 bit rsa keys
	* docs now in PDF too but without images
	* more errorproof CSR editing
	* removed encryption for mysql from OpenCA::DBI (openca_0_9_1 too)
	* viewCert had two fields format for sendcert and send_cert_key
	* automatical setting of ContentType in case of an error
	* additional attributes are editable now
	* added print button to request_success.html to support printable
	  agreements
	* additional attributes works now for basic_csr too
	* added setPasswd
	* fixed some problems with genMenu and activated it for all interfaces
	* added objectclass uniquelyIdentifiedUser from Entrust to handle
	  serialNumber (openca_0_9_1 too)
	* added passphrase protected access to send_cert_key via public
	  interface
	* added crl_httpd_protocol to config.xml
	* OpenCA::REQ supports now multirow attributes incl. setHeaderAttribute
2003-May-23:
	* added httpd_protocol to config.xml
	* added sendcert to all interfaces except of scep and node
	* fixed content-type for all missing commands
	* Updated ASN.1 routines in scep code (openssl 0.9.7 compliant)
	* dynamic csr headers
	* PKCS#10 supports dynamic header attributes (Bahaaldin Al-Amood)
	* small fix for translation
	* fixed hardcoded paths of OpenCA::OpenSSL (XS)
	* fixed pubkey verification in approveCSR*
	* added check for missing key during SPKAC request
	* fixed persistent files and directories in var/tmp
	    - scep_*
	    - *_data.msg
	    - *_data.tmp
	* fixed wrong right for var/crypto/chain/Makfile.crt
2003-May-12:
	* snapshot + second pre-release of 0.9.1.2
	* added Italian from Simone Rossi <simone.rossi@hp.com>
	* fixed a bug in the makefile of the ocspd in openca_0_9_1
	* fixed debug switch in scep code
	* subject verification for PKCS#10 requests (Bahaaldin Al-Amood)
	* engine support for OpenCA::OpenSSL::SMIME
	* logging to syslog
	* logging via XML
	* search logs
	* warnExpiring works now
	* preserve userdefined ordering of roles in roles.xml
	* download certificates in various explicit format
	* OpenCA::X509 tolerates critical extensions (openca_0_9_1 too)
	* CRL to ldap fixed (roles must be ignored)
	* fixed errordetection for ldap updates of CA-certs (export-import.lib)
	  (openca_0_9_1 too)
2003-Apr-28:
	* snapshot + a first pre-release of 0.9.1.2
	* incompatible SQL DB-tables so follow the instructions in
	  SQL-DB-Format-Change (because we store SCEP's transaction ID in the
	  request's header)
	  otherwise you can alter some tables of your OpenCA database
	    - vendor | field type
	      -------------------
	      Pg     | text
	      mysql  | TEXT
	      DB2    | long varchar
	      Oracle | varchar2 (1999)
	    - alter table request add scep_tid TEXT;
	    - alter table log add scep_tid TEXT;
	* removed all statical pages which are called by the interfaces
	  directly
        * fixed Makefile.global-vars.in (Brian May <bam@snoopy.apana.org.au>)
        * fixed importCACert (used old export/import-config)
	* access control added:
            # OpenCA::AC implements a XML-based access control
	    # etc/access_control/*.xml for configuration
	    # etc/rbac/roles.xml
	    # etc/rbac/modules.xml
	    # etc/rbac/cmds/
	    # etc/rbac/acl.xml
        * configure_etc.sh in the etc area configures OpenCA after the
	  installation via config.xml (now we can build usable packages)
	* certificationAuthority --> pkiCA (LDAP objectclass changed)
	  (Robert Hannemann <robert.hannemann@liz.lsa-net.de>)
	* added crypto layer and tokens to support easier hardware integration
	* added support for ldap servers which have more than one suffix
	  (openca_0_9_1 too)
	* general bugfix for configuration from Ramon Llorens Creus
	  <rllorens@diputaciolleida.es> (commited to 0_9_1 too)
	* integrated OpenCA::OpenSSL::Fast into OpenCA::OpenSSL
	* OpenCA::OpenSSL::SMIME contributed by Martin Ferrari
	  <mferrari@decidir.net>
	* bugfix for OpenCA::REQ (Ives Steglich <steglich@emt.iis.fhg.de>)
	  (openca_0_9_1 too)
	* ldap code now schema compliant (openca_0_9_1 too)
	* added French from Nicolas Pouvesle <npouvesle@mond.net>
	  (openca_0_9_1 too)
	* fixed generation of the serials (openca_0_9_1 too)
	* special roles can be excluded from LDAP (Chris Covell
	  <chris@katjam.co.uk>)
	* added TLS support to ldap-utils.lib
	* added SASL support to ldap-utils.lib
	* dozens of bugs found by Brian May during packaging OpenCA for Debian
	* first rudimentary support for checking for already installed
	  Perl modules
	* added scep support (many thanks to Ives Steglich steglich@emt.iis.fhg.de>)
2003-Feb-23:
	* 0.9.1.1
	* OCSPd Correclty lookup using loaded CRL
	* OCSPd Added extensions management from CRL to OCSP response
	* OCSPd Updated the sample (contrib/) configuration file
	* OCSPd Added CRL retrivial from LDAP server
	* OCSPd Added LDAP support (needs OpenLDAP libraries)
	* OCSPd Added CRL retrivial from file
	* fixed SPKAC in basic_csr
	* fixed IE DNs in basic_csr
	* fixed export_import.lib
	* added patches from from Marc Pfatschbacher <pfatschi@gmx.net>
	    # basic_csr
	    # bpRevokeCertificate
	    # export-import.lib
	* added DSA-keys to genSKey (only commited to HEAD)
	* fixed removeKey for DBM-files
	* fixed sign in OpenCA::OpenSSL (patch from Ramon Llorens Creus
	  <rllorens@diputaciolleida.es>)
2003-Jan-03:
	* 0.9.1
	* added TODO and CHANGES
2002-Dec-22:
	* 0.9.1 RC7
	* only openca.pot, openca-html.pot and the javascriptfiles must be
	  translated
	* language es_ES available
	* language de_DE to new mechanism migrated
	* fixed unclean usage of OpenCA::REQ in basic_csr and bpCreateCSR
	* several fixes for i18n (typos and wrong functions)
	* Javascript-fixes for Mozilla and Netscape <5
	* fixed several problems in OpenCA::DB
	* cleanup interface of OpenCA::DBI (DB2 works again) and avoid crashes
	  of the web interfaces if databases are down
	* fix for use of not unique DNs in crypto-utils.lib
	* don't overwrite mailcounter during importing mails
	* integrated security-fix of Microsoft for MS02-48
	* perl 5.8 supported
	* LDAP v3 supported
	* usercerts without emailaddress handled now correct by the ldap code
	* better signaturehandling for listReqs and viewSignature
	* added special CRL-generation
	* certificates cannot have a longer lifetime then the CA-cert now
	* PINs in the batchprocessors are now encrypted
	* fixed several missing statechecks
	* support for HSMs added (Chrysalis-ITS Luna CA3) - special thanks to
	  Bahaaldin Al-Amood <balamood@vt.edu>
	* new export/import system supports incremental exports
	* merged basic_csr, ie_req and spkac_req (incl. automatic browser
	  detection if wanted)
2002-Oct-02:
	* 0.9.1 RC6
	* fixed a bug in src/web-interfaces/pub/Makfile (download.cer installs now
	  correctly)
	* removed -lfl from ocspd/src/Makefile and openca-sv/src/Makefile
	* fixed DBI because MySQL is really sensitive for blanks between functions
	  and parenthesis
	* better references for scrolling certificates, CRLs and requests
	* port-option added to configure (this allow the usage of servers on
	  non-standardports)
	* use strict; in all webinterfaces
	* several modifications to support mod_perl
	* fixed signature-handling in approveCRR, approveCRRnotSigned,
	  changeCRR and listReqs
	* created csr-utils.lib
	* all cmds are now functions
	* several performance enhancements in OpenCA::REQ and OpenCA::X509 to
	  speedup lists
	* explicit commit and rollback for SQL-databases
	* i18n introduced including description in file I18N
	* language de_DE available
	* support for not unique DNs (patch for OpenSSL is available too)
	* fixed mail-setting in LDAP
	* fixed installation problem with keybackup_(key|cert).pem
2002-Sep-10:
	* 0.9.1 RC5
	* fixed typo in editCSR ($datatype --> $dataType)
	* fixed status bug in OpenCA::DBI (EXPIRED works now)
	* fixed serials in the DN (now the user see only decimal numbers)
	* rewrite the requestgeneration for IE because of some problems with
	  Siemens CardOS CSP
	* fixed the signatureverification
	* fixed import of CRR into CA
	* keybackup integrated into batchprocessor (still alpha)
	* structural cleanup completed
2002-Aug-29:
	* 0.9.1 RC4
	* renewCSR can handle now empty subject alternative names
	* certsMail.txt is now in the correct directory
	* fixed bug in crypto-utils.lib (now we can issue certificates from renewed
	  requests directly)
2002-Aug-28:
	* 0.9.1 RC3
	* RBAC:
		* deactivated debugging in rbac-utils.lib
		* removed conf-file for raServerInfo
		* added conf-file for serverInfo
		* security bugfix against misconfiguration of mod_ssl
		* some signatures will no longer used because they bring us
		  no additional security
	* RPM-specs updated (the binaries are now much smaller)
2002-Aug-23
	* 0.9.1 RC 2
	* IE-fixes:
		* getcert works again
		* download of certificates from other users via the pub-gw works
	* Win2000 smartcardlogin tested successfully (with patched OpenSSL)
2002-Aug-21
	* 0.9.1 RC 1
	* fixed src/Makefile for use without optional C-modules
	* fixed deleteCRR to make certificates valid if there are no other CRRs
	* several small Makefile-fixes
	* moved Makefile.crt into correct directory (causes crashes during make
	  install)
	* fixed bug in OpenCA::X509 (failed for DNs with attributes which
	  includes "/")
	* fixed wrong CDPs in ca-openssl.cnf, ra-openssl.cnf and
	  sample-openssl.ext.in
	* a small fix in mail-utils.lib
	* changePasswd fixed for OpenCA::DB
2002-Aug-15
	* several small changes
	* fixed CDPs in default-configuration
2002-Aug-14
	* new structure - ready for i18n and more productoriented (for re-use)
	* fixed signing for IE
	* fixed numbers of CRIN-mails
2002-Aug-12
	* 0.9.0
	* fixed typo in editCRR ($parsed --> $parsed_req)
	* fixed typo in approveCRR and approveCRRnotSigned ($req->getSerial -->
	  $cert->getSerial)
2002-Aug-09
	* RC 4
	* fix for systems with many users (linear list of links --> exponential
	  list of links)
	* OpenCA::DBI returns now 50 items and not 49 if listItems asks for 50 items
	* OpenCA::DBI start now with the first element of a list and not the
	  second one
	* you can download now keys which have the correct format for Apache's
	  mod_ssl
	* added navigation through the users of the batch processor (not an
	  official part of 0.9)
2002-Aug-05
	* RC 3
	* subject alternative name will be set automatically by default
	* signature handling for CSRs fixed
	* initialization for PostgreSQL fixed
	* log for PostgreSQL fixed
	* unused --prefix fixed
	* ldap-utils.lib creates the root-node of the directory now too
	* ldap-utils.lib is now caseinsensitive for DNs
2002-Jul-26
	* RC 2
	* fix for OpenCA::DBI
	* updated INSTALL, LICENSE, COPYRIGHT, README and HISTORY
	* added OpenCA-guide and lifecycle to the docs
2002-Jul-23
	* RC 1
2002-Jul-17
	* OpenCA::DBIS removed
	* spec-files updated (better versionnumbers for modules)
	* build-rpm.sh updated
2002-Jul-12
	* ARCHIVIED --> ARCHIVED
	* added link from viewCert to viewCSR
	* incompatible SQL DB-tables so follow the instructions in
	  SQL-DB-Format-Change (because we store the CSR's serial in the
	  request's header)
	* DBM-users has to make a backup before the installation and after the
	  installation they have to import this backup or do the following
		* cd openca_dir/var/db/
		* mv archivied_xyz archived_xyz
	* users can get their certificates via the CSR's serial and their ID from
	  the batchprocessors too
2002-Jul-11
	* genCRL fixed (creates now cacrl.(pem|der|crl|txt))
	* added the missing batchprocessors (nearly untested)
2002-Jul-05
	* fixed some problems with the signatureverification of requests
2002-Jul-04
	* forget to run autoconf (only users without autoconf was affected)
2002-Jul-03
	* better errormessages for genCAReq
2002-Jul-02
	* better errormessages for libIssueCertificate
	* another error 256 in OpenCA::OpenSSL
2002-Jul-01
	* fix a small bug in editCSR which causes the initialization to fail
	* include the first version of a batch processor
2002-Jun-24
	* better debuggingoutput for deleteCSR
	* fixed broken Makefile in src/cgi-bin/cgi-online/cmds/
	* support for full flexible CA-DNs
	* CRINs work
	* mailcounter will no longer be overwritten
2002-Jun-04
	* fix for changeCSR (yesterdays snapshot was broken)
2002-Jun-03
	* OpenCA works on Solaris
	* fixed broken ca.conf
2002-Jun-01
	* fixed problems with CA-certs and LDAP
2002-May-31
	* support for tokeninitialization on the RA
2002-May-30
	* support for renewal of requests
2002-May-27
	* fixes for mailsending
	* small fix for IE
2002-May-27
	* fix for IE
	* small fix for viewCRL
2002-May-24
	* RPMs are supported now
	* LDAP improvements
	* some changes in the organization of the sourcecode
	* several minor bugfixes
2002-Apr-29
	* full support for errno and errval in OpenCA::OpenSSL
	* getCRLAttribute added to OpenCA::OpenSSL
	* OpenCA::REQ fixed for parsing SPKAC-requests
	* convert issuer of OpenCA::X509 and OpenCA::CRL
	* OpenCA::OpenSSL detects errorcode 256 from OpenSSL and ignores it
	* some small fixes for better errordetection in export-import.lib
2002-Apr-23
	* several fixes for emailAddress
	* some fixes for rbac-utils.lib
	* CA Admin --> CA Operator
2002-Apr-19
	* we use DNs like described in RFC2253 only
	* the new module X500::DN and X500::RDN handles the conversion from RFC2253 and
	  X500 to OpenSSL
	* there is a new gateway for LDAP only
	* you must use an OpenSSL which includes the patches for the attribute emailAddress
	  (this require openssl-0.9.7-20020415 or higher)
2002-Apr-12
	* verifySignature works now with IE too
	* fixes for LDAP (objectcreation)
	* patch for FreeBSD from Nelson Murilo <nelson@pangeia.com.br>
	* fix for openca-verify from Alex
	* removed passphrases from the links (only using forms with POST and not GET)
2002-Apr-10
	* next fixes for the LDAP-code
	* fixes for PKCS#7 (verification is now faster because openca-verify
	  is only used once)
	* button for renew CSRs (but no background code because the format is not defined)
2002-Apr-09
	* all lists show the affected role
	* requests must not signed any longer
	* store LDAP-certs with other DN
	* update LDAP from viewCert directly
	* added an option to disable the automatic LDAP-update during import
	* several fixes for Javascript
2002-Apr-08
	* complete new names for RBAC (Base64 with small modifications)
	* change passphrase of private key fixed
	* fixed a bug in getItem of OpenCA::DB (CRRs should work now)
	* full support for IE (thanks to Alexandru and Marilena Matei)
	* fixed a bug in verifySignature on the pub-gw
	* some small fixes in OpenCA::OpenSSL
2002-Mar-28
	* several fixes for Solaris (see also configs/configure.michael_solaris)
2002-Mar-27
	* fixes for the export of certificates and keys
	* fixes for correct statehandling during revocation
	* fixed missing openssl-includes in OpenCA SV Tools
2002-Mar-22
	* some fixes to export/import
	* data and configuration will no longer be overwritten during installation
2002-Mar-21
	* several fixes for issueCertificate
	* more debugging output available for getSMIME in OpenCA::OpenSSL
	* all CRIN-mails in one directory
	* crashes with "Cannot encrypt PIN-mail!" caused by OpenSSL-snapshots
2002-Mar-15
	* UI-messages
	* issuing CRRs (several typos)
	* PKCS#12-export
2002-Mar-13
	* some fixes from Alexandre Matei
2002-Mar-12
	* the next fixes for getSerial
2002-Mar-11
	* fixed a lot of bugs related to getSerial
2002-Mar-08
	* several fixes (thanks to Alexandre Matei)
	* initialization works with OpenCA::DB too
2002-Mar-04
	* several fixes related to the new filesystem hierarchy
	* fix for IE requests
	* a lot of fixes for the new OCSP daemon
	* initialization works
2002-Feb-22
	* new filesystemhierarchy
	* headers of requests are signed too
	* this is a real testrelease because we changed over 100 files
	* download of certificates for IE should work
2002-Feb-18
	* fixed approveCSR
	* new installation code for the CA (experimental)
2002-Feb-15
	* standard user and group are configurable
2002-Feb-14
	* OpenCA::OpenSSL->sign has some more options
	* export-import.lib fixed (wrong code for installation of cacert.pem)
	* corrected some misspellings
2002-Feb-13
	* new script to generate requests
		* server-side generation of keypair
		* fully configurable via public.conf
		* support different configurations
	* better initialization
	* complete handling of private key on the RA
	* some improvements in the Makefiles
2002-Feb-05
	* several improvements related to configure
	* better initialization (you can simply use the web-interface)
	* one small bugfix for OpenCA::DB
	* configure still broken (exec-prefix must be set)
2002-Feb-04
	* better configure
	* fixes for DBM-files
	* some small bugfixes
	* configure broken (exec-prefix must be set)
2002-Jan-28
	* fix two bugs in the sheets for issuing and revoking certificates
2002-Jan-23
	* fixed a bug in OpenCA::DBI
2002-Jan-22
	* misc-utils.lib fixed
	* all files in lib/ are identical on CA, RAServer and Public
	* all files in cmds/ with the same name are identical on CA and RAServer
	* SCEP is no longer part of the installation (scheduled to v0.10)
2002-Jan-16
	* better UI for recovery
	* libraries are now idetically in ca, raserver and public
	* remove the CRL-state EXPIRED (CRLs never expiring)
2002-Jan-15
	* several small fixes
	* ldap can handle sn now
	* recovery fixed again
	* approval of CSRs works now
	* approval of CRRs works now
	* add userCertificate to LDAP fixed
2002-Jan-12
	* fixes
2002-Jan-11
	* fix file-permissions of the RBAC-configuration
	* complete update of the RBAC-configuration
	* add the role Mail Server
2002-Jan-10
	* many bugfixes because of the new code for CSRs and CRRs
	* since 2001-Dec-20 the recovery-code for index.txt and serial was broken (fixed)
	* OpenCA::OpenSSL has two new functions - getOpenSSLDate and getNumericDate
	* fixed the Makefile of cgi-public/sheets/
	* OpenCA::DBI handles now expired certs automatically (an expired cert is not a valid cert)
	* incompatible SQL DB-tables so follow the instructions in SQL-DB-Format-Change
	  (because of the correct handling of expired certs)
2002-Jan-09
	* added some missing files for OpenCA::DB (thanks to chris crowley)
	* complete new organization of the code for approving a request (CSRs and CRRs)
	* this snap has many bugs because the code for approving requests is not tested
	  (so this snapshot is not recommended for non-developers)
	* if Req means only CSR then *Req(|s) -> *CSR
2002-Jan-08
	* some fixes to support Mozilla which has some bugs
2002-Jan-04
	* Oracle improvements again
	* incompatible SQL DB-tables so follow the instructions in SQL-DB-Format-Change
2002-Jan-03
	* CRR improvements
	* Oracle support
	* incompatible SQL DB-tables so follow the instructions in SQL-DB-Format-Change
2001-Dec-22
	* sendmail integrated into configure.in
	* several improvements for CRIN-mails
2001-Dec-21
	* send CRIN-mails
	* some small fixes on the CA
	* better support for subjectAltName
	* displays correct DN and subjectAltName on CA and RAServer
2001-Dec-20
	* small fixes in OpenCA:OpenSSL (missing -config option)
	* first fixes for PIN-Mails
	* in OpenCA exists only decimal numbers
	* OpenCA::CRL and OpenCA::X509 fixing the certificate's serial
2001-Dec-19
	* import of CRLs works completely
	* ie_req should work now
	* correct initialization of OpenCA::OpenSSL
	* LDAP-code fixed
2001-Dec-18
	* because of a corruption of my cvs-files, this snap is highly
          recommended
	* fixes a Javascriptproblem for genCAReq (creates the CA's request)
        * fixes the crl-links on the Public-GW
        * fixes export-import-code again (more robust, bugs easier to find
          and fix)
        * export/import of CRLs works (still a problem with the installation
          of the CRL-directory on Public-GW)
2001-Dec-17
	* fixed two files which are perhaps corrupted in the last snap
2001-Dec-15
	* CRRs on the RAServer works completely
	* export/import of CRRs
	* CRRs on the CA
	* new design of the main-page (CA)
	* issuing CRL works (only tested nothing to do)
	* recovery of OpenSSL's index.txt works (tested with CRRs)
2001-Dec-14
	* new design of the main-page (RAServer)
	* CRRs on the RAServer
2001-Dec-13
	* CRRs on the Public-GW
	* new design of the main-page (Public-GW)
	* command "lists" works
2001-Dec-12
	* fixed Makefiles of OpenSCEP
2001-Dec-10
	* OpenSCEP included
2001-Dec-01
	* initial OpenCA v0.9 snapshot

SQL-DB-Format-Change
--------------------
	# still use your old snapshots
	# exportDB via the link on the input/output-page (Backup)
	# destroy your database
	# make a backup of the CA's private key and cert (by hand)
	# install new snapshot
	# install the backup of the CA's private key and cert (by hand)
	# initialize your database again via the link on the input/output-page (Recovery)
	# replayLog via the link on the input/output-page (Recovery)

