Okay so what happens when I lose my keys and need new ones issued?

I have to go through the manual verification process and then issue revocation certs for my old keys?

How do I know what those keys were without a database of which key belongs to whom?

Yes if you lose your keys you do have to get new certificates and if possible revoke the lost keys. Revoking certificates will require either a revocation code that is issued when you get the certificate or you can use a copy of your private key to issue a revocation request.

If you don't have a revocation code or a private key for the cert you wish to revoke, it will require administrative access to the certificate registry to mark the cert as revoked. That feature is currently built into the platform but not something accessible because of the obvious challenges.

Your private keys are only known to you, certificate revocation is just an annotation that says to someone who receives a signature associated with that certificate to not trust the certificate.

All private keys are generated and stored only on your device.

Okay so we've established there must be a central registry, since it's a certainty that somebody's 65 year old mom will lose her phone and her certs and keys with it.

How does your system protect against attackers claiming to be my mom?