I’m more familiar with the theoretical rather than the implementation details, but in theory, key rotation can be initiated from any device with the private key, so yes, any server hosting your identity can initiate a key rotation. I think in practice, the way Hubzilla and zot do this is by designating one of the servers as the “primary” and all the others as “secondary”. The primary zot server handles all logic and replicates your information to all your secondaries, but if the primary server goes offline (perhaps permanently), then any already-authorized secondary server can claim to be the new primary server following a user-initiated update process. Once you have a primary server online, you can take any account-related actions. I would defer to the zot documentation for more details on the technical side of things: https://project.hubzilla.org/help/en/developer/zot_protocol
If your password is compromised, then you lose access to just that account on that server. I don’t think there’s anything stopping you from having a different password on each server; think of the server as simply an entry point into the zot network. I can be
social.trwnh.com identified by
example.social identified by
someotherpass… i could make trwnh.com the primary server and example.social the secondary server, post from either server, and if i ever come to distrust example.social, then I would disconnect the two accounts and perhaps cycle out my keys (and warn my friends for the reason I’m cycling my key out, so that they know that I still have access to the account). If my primary at trwnh.com was hacked, then I would contact the admin (myself) to lock the account and change my password there. Of course, I’m limited in what I can do with regards to regaining access, in a similar way that I might be limited on any system existing today if I lost my password.
In more general security terms: hosting your identity on multiple servers increases the potential attack surface without introducing any significantly different attack vectors. And you can still choose to host your identity only on one server, even in a nomadic system. But the main advantage you gain is that your identity is now no longer bound to DNS. Although, DNS can still be used as a superficial trust signal, because maybe you trust that I have control of trwnh.com and that I would not sabotage my own account by pointing it at some primary like
untrustworthy.social. On a user level, this means you can change username and domain quite easily, rather than being stuck with what you sign up with; it’s much the same as moving to a different house and updating your physical address. Just because I once lived at 123 Example St. doesn’t mean that no one else can live there after I move out.