Apparatus and method for sharing a hardware security module interface in a collaborative network

We claim: 1. A method, comprising: establishing a collaborative network, at a first communication device having a secure access to a security module, by forming a collaborative security association between the first communication device and a second communication device, wherein the first communication device and the second communication device are associated with a user; at least one of: sending, by the first communication device to the second communication device, an advertisement of services associated with the security module and receiving an advertisement response from the second communication device, and receiving, by the first communication device from the second communication device, a solicitation request for services associated with the security module; responsive to receiving one of the advertisement response and the solicitation request determining, by the first communication device, whether the second communication device is authorized to access the security module; establishing, by the first communication device, a session with the security module to provide security services offered by the security module to the second communication device according to one of the advertisement response and the solicitation request, wherein the session is established by providing activation data; using, by the first communication device, activation data policy provided by the security module to one of store and discard the activation data; and forwarding, by the first communication device, security service messages between the second communication device and the security module, responsive to determining that the second communication device is authorized to access the security module. 2. The method of claim 1 , where one of the advertisement response and the solicitation request includes data representing a PKCS11 function and associated arguments. 3. The method of claim 1 where the determining further comprises verifying that credentials used by the second communication device in establishing the collaborative security association are appropriate for accessing the security module. 4. The method of claim 3 wherein the determining further comprises obtaining the credentials of the second communication device from a third device in the collaborative network. 5. The method of claim 1 wherein the processing further comprises decrypting and encrypting messages between the second communication device and the security module and enforcing access control. 6. The method of claim 1 , wherein the session is established in one of a proxy mode or a tunnel mode, wherein in the proxy mode, communication between the second communication device and the service module is transmitted through the first communication device. 7. The method of claim 6 , wherein the session is established in the proxy mode and the first communication device one or more of: enforces access control for a key to be used by the second communication device; and forwards cryptographic operations requested by the second communication device to the security module. 8. The method of claim 6 , wherein the session is established in the tunnel mode and wherein, when in the tunnel mode, the first communication device introduces the second communication device to the security module, the second communication device establishes an independent session with the security module, and the first communication device routes traffic between the second communication device and the security module and is unable to decipher cryptographic information transmitted between the second communication device and the security module. 9. The method of claim 6 , wherein the session is established in the tunnel mode and wherein, when in the tunnel mode: the security module enforces access control for a key to be used by the second communication device, activation data provided by the second communication device for activating the key in the security module is known to the second communication device, and one of the first communication device and the second communication is configured to deactivate the key and close the session. 10. The method of claim 1 , wherein the advertisement includes at least one of: information about the capabilities of the security module, access restrictions associated with accessing the security module, a list of the types of credential to be used by the second communication devices, and an access restrictions associated with each of the credentials. 11. The method of claim 1 , wherein the connection between the first communication device and the security module is by one of a first security association between the first communication device and the security module, an internal communication bus on the first communication device, and a network connection outside of the collaborative network. 12. The method of claim 1 , further comprising advertising, by the second communication device, services associated with the security module in a service advertisement. 13. A method, comprising: establishing a collaborative network, at a first communication device having a secure access to a security module, by forming a collaborative security association between the first communication device and a second communication device, wherein the first communication device and the second communication device are associated with a user; at least one of: sending, by the first communication device to the second communication device, an advertisement of services associated with the security module and receiving an advertisement response from the second communication device, and receiving, by the first communication device from the second communication device, a solicitation request for services associated with the security module; responsive to receiving one of the advertisement response and the solicitation request determining, by the first communication device, whether the second communication device is authorized to access the security module; establishing, by the first communication device, a session with the security module to provide security services offered by the security module to the second communication device according to one of the advertisement response and the solicitation request, wherein the session is established by providing activation data; verifying, by the first communication device, that session attributes for an existing session are suitable for fulfilling one of the advertisement response and the solicitation request and modifying the session attributes if the session attributes are determined to be unsuitable; and forwarding, by the first communication device, security service messages between the second communication device and the security module, responsive to determining that the second communication device is authorized to access the security module. 14. The method of claim 13 , wherein the session is established in one of a proxy mode or a tunnel mode, wherein in the proxy mode, communication between the second communication device and the service module is transmitted through the first communication device. 15. The method of claim 14 , wherein the session is established in the proxy mode and the first communication device one or more of: enforces access control for a key to be used by the second communication device; and forwards cryptographic operations requested by the second communication device to the security module. 16. The method of claim 14 , wherein the session is established in the tunnel mode and wherein, when in the tunnel mode: the security module enforces access control for a key to be