[remram]

> I'm glad you agree that knowing someone's name, age, and address doesn't prove their trustworthiness

My point is that NOTHING about their "identity" provides trustworthiness, unless you actually know that person and you're contracting them in some way.

> build up trust in an identity based on how long that identity has been used

Why would that be true? Times and times again, we have seen popular packages take a wrong turn. An "identity" is just a key with some untrustable name on it, which can be sold or mishandled just as easily as your NPM or GitHub password.

If your entire security still relies on "this rando didn't do me wrong in the past, they're probably fine" or "they have a lot of GitHub stars", why introduce key management? What does it really get you?