Has anyone came up with a method of having a master nsec (stored offline) that enables a compromised child nsec to be deprecated and replaced.