The whole point of this exercise is that I now know how to deterministically derive child keys from any nsec by creating an xpub and can be made public to cryptographically prove that it belongs to the corresponding npub and that a child public key can be cryptograpically proven to related to this npub by means of 1) a given derivation path, or 2) iterating through an established derivation path hierarchy, such as "M/44/1237/0/0/[1-iteration_limit]". These mechanisms are tried and tested from BIP32 for Hierarchical Deterministic Wallets. I'm just applying to nostr npubs to solve for the problem of generating a root npub (with a nsec I put in a safe or HSM) and rotating through child npubs that can be easily be determined to be related to the root npub and easily revoked (by publishing an invalidating event) if they are compromised. In the end, I am satisfied that the cryptographic mechanisms work for a straightforward key rotation (actually hierarchical key determination) that I can easily use while keeping my root nsec safe.