There is a Nostr NIP proposal for key invalidation, using a chain of pre-generated keys, so a key can be rotated safely to another one (cannot be faked)

https://github.com/nostr-protocol/nips/pull/158

While working on a proto implementation, I got an idea how the crypto part of it could be somewhat simplified by using only BIP32-style key derivation. Stay tuned :)