Currently trunion doesn't have any application based authentication, meaning anything that can talk to trunion can call receipt generation or signing an app. Trunion is very well locked down by network access, so this isn't a biggie, but let's be careful and do a similar style of OAuth authentication that we've done between solitude, zippy and the marketplace. That way only certain apps can do those tasks.
We no longer need the existing Trunion HSM box for bug 958329 so we may not need the Trunion service
Doesn't need to be done for APK signing since we won't be using Trunion for that initially. And might be a moot point if we just move the existing logic for signing FFxOS privileged apps and Marketplace receipts from Trunion into a Django app.
I still think we should do this Ryan, what do you reckon?
Trunion is still used by the AMO and I'd still like this to happen.
(Moves to amo)