teatwo on Nostr: How about this one? ...

How about this one?

quoting
note1wwf…fx4k

IDEAL

- ONE npub with TWO nsec
- As usual by "1 of 2", you sign with one nsec
- another nsec is for recovery, in case you need to revoke the usual nesc
- replace the revoked key to new key keeping1 of 2
- you will sign with new one nec and others keep to verify with the same npub

So you get the key rotation without monitoring revoke list.

It's outside your original question as it assumes it will be stolen, and also it's "long-term" vision, and also i think the applications should mainly do it to ensure the variety of recovery method, remote agency service, etc.