More ambitious authentication interface

I like validate-userid for use in the test suite, and for people trying to curate keyrings (should they?!). But, I'm wondering whether we shouldn't try to aim higher.

For example, sop encrypt @mail:juliet@example.org,certd=/some/path/to/a/certd could mean "encrypt a message to juliet@example.org, found in the given certd, authenticated via OpenPGP's PKI, rooted by the certd's trust root".

Further, sop verify @mail:juliet@example.org could mean "verify the signature using certificates for juliet@example.org, found in the default certd, authenticated via OpenPGP's PKI, rooted by the certd's trust root".