You're talking about delegation, I'm talking about rotation.

But your stuff also can't be done reliably because there is no way to revoke your per-device signing keys without a centralized server telling everybody that a key was revoked.