It seems clear we need some sort of alternative "trusted contact list" NIP. This would also be useful for stuff like app binary distribution if we replace pgp verification.