how does it work without giving away your nsec or requiring a complex key delegation system and database?