I’m still failing to see how this wouldn’t be resolved with a nip-05.

If a user posts the nsec of the compromised account on the new secure account and the new secure account has an updated nip-05 pointing to the same URL as before.. Then nostr clients could be setup a feature to follow the new npub with the legitimate nip-05 and ignore the leaked account.

ie. If my nip-05 points to a new npub, and that new npub has posted the nsec of this old npub, autofollow the new npub and unfollow about the old one.

Even if someone with the private key of the compromised nsec attempts to update the nip-05 to a new one. The private key would be burnt to the new account and the client can verify the new npub with a new nip-05 lookup and burnt key combination.

I’m probably missing something obvious 🤓