A daemon for running pkcs#11 modules in a shared mode.
The login state should be shared, but sessions and session objects should not be shared between clients of these modules.
It may be that this daemon runs in the gnome-keyring-daemon process as an optimization. But it doesn't have to be that way.
There's more progress on this than the bug belies. Hopefully I'll have my WIP branch in order soon.
Some notes on this:
* Add a setting to p11-kit module configs which make a module automatically
load in shared mode in the daemon instead of in-process. Maybe something like
this in the module config:
* The daemon would be autostarted if not already running. Taking cues from
how gpg2 starts gpg-agent. This would be started if any modules are
'session-daemon' see above.
To do the above we would create a p11-kit-daemon binary.
Although not strictly related to the daemon, I'd also like to support exec'ing a process and talking PKCS#11 RPC to it on stdio. We could install a 'p11-kit-remote' executable for this, which talks PKCS#11 RPC on stdio, and loads a specific module.
This has two use cases:
* Running a PKCS#11 module in another process, for security reasons. That
process could be locked down via SELinux and so on. Maybe with a config line
* Running a PKCS#11 module on another machine, similar to what pkcs11_proxy
does. You would add a line like this to the module config:
remote: ssh hostname.example.com /usr/libexec/p11-kit-remote my-module-name
All of the above would only work on Unix, and not be compiled for win32.
Maybe it will be interesting for you that FreeIPA&SSSD projects plan to implement something like this...
Contact email@example.com if you want to know more details.
Have a nice day!