This patch I just posted on p5p enables 'make distsign' support that creates a signed MANIFEST.digest, which contains MD5 digests of individual files in the distribution.
Some other ideas involves PKI (having CPAN sign author's keys, and authors to each other), auto-alias in verification based on 01mailrc.txt.gz, Module::Build integration, and revocation management.
Maybe having /authors/id/A/AU/AUTRIJUS/PUBKEY in addition to CHECKSUM too -- although there are existing keyservers, a single place to announce PAUSE ID's ties with KEY ID might be worth it.
On the other hand, maybe pointing everybody to Use Perl; is enough. ;-)
