That's fine. What I am trying to understand is the role of the online signing component that need to check which keys are signing and the role of the master key that can rotate key shares. Does the online component have a list of authorized pubkeys or does it just check if the incoming signature comes from any key that is inside the polynomial? Meaning, can I rotate single device keys while keeping all the others in place, without changing the key set of the online service? Or do I need to update the online signer with a new public key that is authorized? Ideally those two things would be separate. I load a polynomial on the signing service and then the air-gapped share creation/rotation service can generate new keys for new devices without having to update any of the old ones and the main signer.