Device coordination

What is claimed is: 1. A system, comprising: a plurality of security modules, each security module of the plurality of security modules includes at least one hardware processor and is configured to: operate in accordance with a state that corresponds to a cryptographic key; perform cryptographic operations with the cryptographic key; and require a valid electronic signature from a security module coordinator before updating the state of the plurality of security modules; and the security module coordinator, the security module coordinator not having access to the cryptographic key and being configured to: receive a token generated by a security module of the plurality of security modules, the token encoding, using the cryptographic key, a proposed state for the plurality of security modules and a proposed version identifier for the proposed state; determine, based at least in part on the proposed version identifier and a current version identifier of a current state of the plurality of security modules, whether to synchronize the plurality of security modules to the proposed state; and generate, based at least in part on the received token, an electronic signature for the token; and when said determining results in a determination to synchronize the plurality of security modules to the proposed state, provide the token and the generated electronic signature to each of at least a subset of the plurality of security modules with instructions to synchronize to the proposed state. 2. The system of claim 1 , wherein: the cryptographic key is from a set of one or more cryptographic keys stored by each of the security modules from the plurality of security modules; and the token encodes a change to the set of one or more cryptographic keys. 3. The system of claim 1 , wherein: determining whether to synchronize the plurality of security modules to the proposed state includes determining whether the proposed version identifier is more recent than the current version identifier; and determining to synchronize the plurality of security modules to the proposed state requires determining that the proposed version identifier is more recent than the current version identifier. 4. The system of claim 1 , wherein each security module from the plurality of security modules is configured to enforce a set of quorum rules before fulfilling a request to provide a requested token. 5. The system of claim 1 , wherein: the token includes information of the proposed domain state encrypted under another cryptographic key; and for each security module of the plurality of security modules: the security module has access, lacked by the remaining security modules of the plurality of security modules, to a private cryptographic key of a public-private key pair; and the token includes the other cryptographic key encrypted under a public cryptographic key of the public-private key pair. 6. The system of claim 1 , wherein: when said determining results in a determination to not synchronize the plurality of security modules to the proposed state, refraining from generating an electronic signature based at least in part on the token; and each security module of the plurality of security modules requires a valid electronic signature before fulfilling an instruction to synchronize to a new state. 7. A computer-implemented method for device coordination, comprising: under the control of one or more computer systems configured with executable instructions, receiving a proposal generated by a device of a plurality of devices, each of the plurality of devices having a first set of operational parameters including a cryptographic key, the proposal encoding, using the cryptographic key, a second set of operational parameters for the plurality of devices, the device configured to require a valid instruction from an authorized external source before updating to operate in accordance with the proposal; determining whether the proposal conflicts with one or more previously received proposals; and when said determining results in a determination that the proposal is unconflicting with one or more previously received proposals, causing each device of the plurality of devices to replace the first set of operational parameters with the second set of operational parameters. 8. The computer-implemented method of claim 7 , wherein causing each device of the plurality of devices to operate in accordance with the second set of operational parameters includes issuing an update instruction to the device with an electronic signature verifiable by the device. 9. The computer-implemented method of claim 7 , wherein: the devices are security modules; and the second set of operational parameters includes a set of cryptographic keys usable by the security modules for performing cryptographic operations. 10. The computer-implemented method of claim 7 , wherein: the proposal has an identifier for the second set of operational parameters; and determining whether the proposal conflicts with one or more previously received proposals is based at least in part on the identifier relative to one or more other identifiers for the one or more previously received proposals. 11. The computer-implemented method of claim 7 , wherein the proposal is a token that encrypts at least one member of the second set of operational parameters. 12. The computer-implemented method of claim 7 , wherein the proposal is received in a request transmitted from another device that is outside of the plurality of devices. 13. The computer-implemented method of claim 7 , wherein the proposal includes, for each device of the plurality of devices, an encrypted replica encoding at least one operational parameter from the second set of operational parameters, each replica encrypted under a different cryptographic key. 14. A device, comprising: one or more processors; and memory including instructions that, when executed by the one or more processors, cause the device to: generate a proposal encoding, using a cryptographic key, a proposed set of operational parameters for a plurality of devices that includes the device, the proposed set of operational parameters differing from a current set of operational parameters in accordance with which the device operates, the current set of operational parameters including the cryptographic key; provide the generated proposal; and operate in accordance with the proposed set of operational parameters as a result of receiving an instruction to operate in accordance with the proposed set of operational parameters from a coordinator device authorized to transmit the instruction, the coordinator device not having access to the cryptographic key. 15. The device of claim 14 , wherein: the current set of operational parameters includes a set of quorum rules; the instructions further cause the device to: receive a request to provide the proposal; determine whether the request was generated in compliance with the set of quorum rules; and require that the request be generated in compliance with the set of quorum rules before generating the proposal. 16. The device of claim 14 , wherein providing the generated proposal includes transmitting the generated proposal to another device different from the coordinator device. 17. The device of claim 14 , wherein the proposal includes, for each device of the plurality of devices, an encrypted replica encoding at least one operational parameter from the proposed set of operational parameters, each replica encrypted under a different public key corresponding