@Timothy Bradley the main problem is that once a key is compromised its very hard to do anything sensible. fusion identity would allow you to first say that the old key and new key are 1 identity and then later tombstone that identity and redirect to a new fusion identity only containing the new key. The good thing about this setup is that you can specify what happened in the redirect.

@Timothy Bradley the fusion identity is not able to produce anything itself. When you send a PM to the identity, a reply will be from one of the feeds of the fusion identity. The question remains, what happens if you send a message to a fusion identity and later you get a message that is it now tombstoned. From a security perspective you should expect that all messages written to the fusion identity could be comprised, even earlier messages. Then again that is not that much different from another account being compromised. There is a bigger attack surface because you have more devices, on the other hand you actually have a mechanism for telling the world about that. And it doesn't have to be only a compromise, it could even be like this was my old identity, now I'm moving to this new identity.