About key management, I like the idea of using a trusted domain (like github, or your own site, etc) to provide the link to the npub used.

This allows the user to let their ID in a centralized service to mitigate the risk of losing his private keys.
 
It would be nice if nostr clients had an option to give a big red alert if the "trusted domain" keys stopped matching the npub. 

It could be a big alert, or per default just switch to what the trusted domain is saying.