break common production config out into production.json, dev.json is dead now that dev is just an aws deployment

partial implementation of super-magic instadeploy of browserid to AWS instances.  next up?  security groups.  Then automatic git remote addition.  The addition of app user and a whole pile of tweaking on the template image.

updated to new version of client-sessions, renamed, and re-added connect-cookie-session for example primary

changed session over to benadida's node-cookie-session with encryption and signing of the cookie, closes #416, closes #832

implement a 'maximum request time' for bcrypt work.  server now fails more gracefully under backbreaking load, returning 503s to clients of the authenticate_user api.  update loadgen to be less dramatic about, but still display, 503 errors.  first part of issue #787 - a partial fix for #785 in dere too

update to jwcrypto 0.1.1 - now the verifier supports 'new style' assertions which are JWS structures separated by tildes and don't double base64 encode.  assertion size down 33%.  we still generate only old style assertions.  issue #507

move to a manual tarball of statsd, as github dynamic tgz gen seems broken, prevents npm install from working

upgrade to a branch of statsd that lazily closes ephemeral UDP ports, so that we're not allocating one UDP socket per request when under load.  closes #680

fix regression in keysigner - ensure non-default VAR_PATH is relayed to compute processes - issue #213

improve node.js version checking.  eliminate DRY violation, and use semver for robust version specification and matching.  nice yak, eh?

express our dependency on nodejs >= 0.6.3 in package.json and in code.  (note: I'm not sure package.json actually does anything useful, but it's a good place to document it)c

store public key on disk as a certificate which has embedded creation time.  use that as the value returned in /wsapi/session_context as domain_key_creation_time - now you can update keys at any time and outstanding client certs are expired automatically - closes #599

update jwcrypto, now issued_at is part of certificate.  in frontend code compare server time, issued_at, and domain_key_creation_time to determine if a cert has expired.  (previously, clock skew could cause certs to be regened every single time.  hawt.) issue #599