Basic question, maybe I missed it scanning docs:
If I run DAML on top of postgres how do keys get bound to a party? Where does signature verification occur? Could the binding of keys to a party be done via some kind of certificate authority, and the signatures verified through a cert chain?
It depends which of the postgres drivers we are talking about. I’d start by reading the blog post Identity in Daml. You’ll see there that parties don’t have an identity on the ledger, only “participants” do.
In the Daml Driver for PostgreSQL 1.X, the thing you can download from GitHub releases as daml-on-sql....jar, the participant and driver are fully integrated and actually trust each other a fair deal as they are always run by the same operator. As there is only one participant, there is only one identity on the underlying database - ie one database user. There is no cryptography involved at all.
The Daml Driver for PostgreSQL 2.X was recently released in Alpha. This one is Canton based and the participant and database are not integrated. The relationship between them becomes much more untrusted. With Canton, the role of the database/blockchain underlying the Driver is reduced to ordering, consensus and routing only. The database is really only used as a backend for those services and only ever contains ledger data in fully encrypted form. Participant and Party identities are managed through certificate chains via an identity service that’s part of the driver. You can find in-depth documentation of that in the Canton docs.
Ed: You can download the community edition of Canton, which includes the driver for PostgreSQL from the GitHub releases page of Canton.