diff --git a/browserid/lib/db_mysql.js b/browserid/lib/db_mysql.js
index 06c04932b49c5f7f14ee0115f8922ad98a2382cb..eb590526c864f49f7a1901477b1410cc41a65c4d 100644
--- a/browserid/lib/db_mysql.js
+++ b/browserid/lib/db_mysql.js
@@ -190,9 +190,9 @@ exports.isStaged = function(email, cb) {
 exports.stageUser = function(obj, cb) {
   var secret = secrets.generate(48);
   // overwrite previously staged users
-  client.query('INSERT INTO staged (secret, new_acct, email, pubkey, passwd) VALUES(?,TRUE,?,?,?) ' +
-               'ON DUPLICATE KEY UPDATE secret=?, existing="", new_acct=TRUE, pubkey=?, passwd=?',
-               [ secret, obj.email, obj.pubkey, obj.hash, secret, obj.pubkey, obj.hash],
+  client.query('INSERT INTO staged (secret, new_acct, email, passwd) VALUES(?,TRUE,?,?) ' +
+               'ON DUPLICATE KEY UPDATE secret=?, existing="", new_acct=TRUE, passwd=?',
+               [ secret, obj.email, obj.hash, secret, obj.hash],
                function(err) {
                  if (err) {
                    logUnexpectedError(err);
@@ -212,17 +212,13 @@ exports.gotVerificationSecret = function(secret, cb) {
       else {
         var o = rows[0];
 
-        function addEmailAndPubkey(userID) {
+        function addEmailToUser(userID) {
           // issue #170 - delete any old records with the same
           // email address.  this is necessary because
-          // gotVerificationSecret is invoked both for 
+          // gotVerificationSecret is invoked both for
           // forgotten password flows and for new user signups.
           // We could add an `ON DUPLICATE KEY` clause, however
           // We actually want to invalidate all old public keys.
-          //
-          // XXX: periodic database cleanup should remove old expired
-          // keys, but this is moot once we move to certs as the
-          // server won't know about old keys 
           client.query(
             "DELETE FROM email WHERE address = ?",
             [ o.email ],
@@ -244,24 +240,24 @@ exports.gotVerificationSecret = function(secret, cb) {
         client.query("DELETE LOW_PRIORITY FROM staged WHERE secret = ?", [ secret ]);
 
         if (o.new_acct) {
-          // we're creating a new account, add appropriate entries into user, email, and pubkey.
+          // we're creating a new account, add appropriate entries into user and email tables.
           client.query(
             "INSERT INTO user(passwd) VALUES(?)",
             [ o.passwd ],
             function(err, info) {
               if (err) { logUnexpectedError(err); cb(err); return; }
-              addEmailAndPubkey(info.insertId);
+              addEmailToUser(info.insertId);
             });
         } else {
-          // we're adding an email address to an existing user account.  add appropriate entries into email and
-          // pubkey
+          // we're adding an email address to an existing user account.  add appropriate entries into
+          // email table
           client.query(
             "SELECT user FROM email WHERE address = ?", [ o.existing ],
             function(err, rows) {
               if (err) { logUnexpectedError(err); cb(err); }
               else if (rows.length === 0) cb("cannot find email address: " + o.existing);
               else {
-                addEmailAndPubkey(rows[0].user);
+                addEmailToUser(rows[0].user);
               }
             });
         }
diff --git a/browserid/lib/httputils.js b/browserid/lib/httputils.js
index f543d403fa1ca703d5f55d48cf92f401f08565da..f88539a9b06dfc40c448fdef9e5cac1c5032bc2e 100644
--- a/browserid/lib/httputils.js
+++ b/browserid/lib/httputils.js
@@ -76,12 +76,3 @@ exports.xmlResponse = function(resp, doc)
   if (doc !== undefined) resp.write(doc);
   resp.end();
 };
-
-exports.checkGetArgs = function(req, args) {
-  [ "email", "pass", "pubkey" ].forEach(function(k) {
-    if (!urlobj.hasOwnProperty(k) || typeof urlobj[k] !== 'string') {
-      throw k;
-    }
-  });
-
-};
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 16e9138c31363ae318e16849c0e3f55fce4787f9..eefbed81d61abfdb7695d4ef9d118c30309acda0 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -128,7 +128,6 @@ function setup(app) {
    * this involves creating a secret url that must be delivered to the
    * user via their claimed email address.  Upon timeout expiry OR clickthrough
    * the staged user account transitions to a valid user account
-   * MODIFICATIONS for Certs: no more pubkey in params. Null is passed to DB layer for now.
    */
   app.post('/wsapi/stage_user', checkParams([ "email", "pass", "site" ]), function(req, resp) {
 
@@ -256,7 +255,7 @@ function setup(app) {
 
   app.post('/wsapi/add_email', checkAuthed, checkParams(["email", "site"]), function (req, resp) {
     try {
-      // on failure stageEmail may throw, null pubkey
+      // on failure stageEmail may throw
       db.stageEmail(req.session.authenticatedUser, req.body.email, function(secret) {
 
         // store the email being added in session data