For PEP 752 purposes, I think you can ignore the initial survey post. For that, I was doing my best to present everything as neutrally as I could without expressing my own opinions. The headings are just grouping the different ideas into categories rather than indicating any kind of importance level.
The second post in the thread is the one that describes my personal opinion: Ideas for client side package provenance checks - #2 by ncoghlan
That’s the origin of my requests in this thread to focus on comparing the pros and cons of domain control based assertions and PyPI org account based ones:
However, at this point, I would strongly encourage you not to try to immediately come up with a response that explains why my suggestion to focus on using domain control as the basis for account and project provenance assertions is wrong and using PyPI org accounts directly is the way to go. I get the impression my comments are coming across as attacks, and that is triggering a defensive response rather than a contemplative one.
Instead, take some time to consider how the namespace prefix proposal would really change if everywhere a PyPI account name appears in the proposal a domain name were to appear instead. Then consider what it would mean for clients if they could go to a well known URL on the claimed domain and obtain information about which accounts, projects, and namespace prefix reservations on PyPI are controlled by the same entity as the one that controls that domain name.
I think you’ll find that the repository side of things wouldn’t change much (we’d just be replacing one string with another), but on the client side instead of an opaque token that we just have to trust we’d instead have an identifier that we can use to start doing our own additional verification of provenance.