One problem with the kcm approach is that I'm not sure it will work well with the linux keyring cache type that umich has been planning to donate. I'm not sure how well keyring access would work for a process trying to renew credentials that is not running as part of the session involved.