This seems like it would be actually a layered process:
There needs to be a policy of how the registry deals with "unpublishing" and identity theft. How can a identity be restored if its lost once? Will there be a human way to recover an identity after losing keys to it?
Specify a authentication mechanism that utilizes the current NPM infrastructure to identify a user (i.e. in order to publish over an existing package, the last version needs to be signed)
Define a policy on conflicting versions - if the same project is published both to NPM & open-registry)