Something like pre-signing the next npub you are going to use in case your current nsec gets compromised. It will need some sort of timestamp so that the compromised nsec can’t spoof the pre-sign. 

 For identity migration - yeah that's basically nip41 proposed by Pablo  

 Very cool. I will be digging into that with @PABLOF7z