UCAN is a trustless, secure, local-first, user-originated authorization and revocation scheme. UCAN is designed to be very flexible: you can use it offline, online, fully P2P, federated, or with central servers.

I really should read about this in detail. FedIAM only solves the first step of the decentralised access control problem; this looks like it could solve the next step after that.

FedIAM's ACL mechanism needs some top-down design attention very soon; perhaps this will be a useful building block.