+ #
+ # right now, SFA only has *one* key attached to a user, and this is
+ # the key that the GID was made with
+ # so the logic here is, we consider that things are OK (unchanged) if
+ # all the SFA keys are present as PLC keys
+ # otherwise we trigger the creation of a new gid from *some* plc key
+ # and record this on the SFA side
+ # it would make sense to add a feature in PLC so that one could pick a 'primary'
+ # key but this is not available on the myplc side for now
+ # = or = it would be much better to support several keys in SFA but that
+ # does not seem doable without a major overhaul in the data model as
+ # a GID is attached to a hrn, but it's also linked to a key, so...
+ # NOTE: with this logic, the first key entered in PLC remains the one
+ # current in SFA until it is removed from PLC