You’re right that implicit rotation can work in a perfect discipline model and does minimize client work.

The reason I still require explicit root authorization is survivability under failure. I want a cryptographic way to distinguish intent from accident or compromise, and a way to revoke or supersede a key after the fact.

Implicit “highest index wins” infers authority. Cold Root Identity makes authority explicit. That’s the tradeoff I’m choosing.