I'm using "core projects" as a shorthand for projects that directly address the core development environment, the stdlib, and priorities of committers on python-dev. Tarek is a committer, and it sounded like you, Jim, and Georg were all interested in this project, too -- that pushes it well into "core" territory IMO.
I understand why Tarek wants it, and I can sympathise with that: to protect PyPI passwords better (they are currently stored on disk in plain).
Putting it into distutils might not make it "official API", but then, I think it ought to be official API, since PyPI would be just one (minor) application of it; Python also features a netrc module (which probably nobody uses).
So I think it would be good to have a discussion upfront whether this should be added to the library after the summer is over (assuming it actually works by then). Decision to accept it or not as a SoC project is independent, but if accepted, the student should well understand the outcome of this discussion.