i proposed a scheme for separating identity from authorization in a manner similar to web sessions. this lets you better protect your actual identity key, avoids guessing whether a rotation was valid, can be verified without external requests, and in the event of loss is basically the same as bulk nip-09 deletions
Discussion
Thats quite interesting and might play nicely with my prototype of ZK and bip-85 hierarchical nostr keys
https://github.com/wujifoo/nostr-bip-85-prototype
The zk can assert ownership/relationship of another key, doesn't help if the root is compromised though. So ideally you would never use the root for anything other than generating other keys. (Which can also do the same)