Techniques are provided for establishing and managing a distributed
credential store. An identity service aggregates identity information
from one or more identity stores and maintains the information as a
remote credential store. Initially, the remote credential store, or
portions thereof, is transmitted to a principal service as an initial
configuration of a local credential store. A principal interacts with the
principal service for defining or modifying a policy that identifies
portions of the remote credential store which are to be synchronized with
the local credential store. In some embodiments, the principal interacts
with the principal service for defining a local policy that identifies
portions of the local credential store which are not synchronized with
the remote credential store. The interactions between the credential
stores are trusted and secured.