It's a very hard problem.

that was me and i don't think it's complicated if you think "authority" and "identity" keys one signs to authorise the other, and you advertise that state in your nip-05, in your kind 0 and so on... the authority keys are only then used for identity related events like those mentioned, nip-05 upgrade to update the keys (and sign the whole thing properly) as part of the nip-05 standard (small nostr client in the nip-05 webserver) and you can then have multiple keys referenced in the kind 0 and change them periodically all you need to do is also show the derivation paths beside the pubkeys and it's very simple for your keychain to know where it is at it's really not that complicated but nostr devs are mostly web devs not server devs and certainly not experienced with encoding and cryptography maybe i should put together a draft protocol for how i think it would be done most simply and robustly instead of typing it over and over again in notes