support for unencrypted keys
In order to support SSO, we are probably going to use a 'key daemon' that keeps a temporary copy of unencrypted keys.
It would work like this:
- user logs into SSO identity provider (account.riseup.net), gets a ticket
- identify provider unlocks the user's encrypted storage key, keeps in a key daemon
- user presents ticket to email server
- email service authenticates to a local auth daemon.
- this auth daemon checks the key daemon. if it is given a password, it returns encrypted key. if it is given a valid ticket, it returns unencrypted key.
So, in preparation for this, TREES should do this:
- Before we try to unlock a private key, check to see if it is already unlocked. If it is, then just use it as-is.