validator operator key only has public key and has no private key to handle the validator
instead, validator owner can map any account key to the validator operator and be able to rotate this handle key.
There is no private key for validator operator so there is no need to rotate the validator operator key, but only rotating handle key is needed.
Also we need to clarify what tombstone can affect the validator and delegator. Does it have to allow validator key rotation to restart validating without changing its identity?? If so, why tombstone exists??
The intention of tombstone is not very clear so it is difficult to clearly define validator key rotation spec.
I really cannot understand the idea of key=account in blockchain space begun by satoshi. If you have a bank account, the acc number(public key of address) is completely independent with the otp key. Users map any arbitrary otp key with his/her account. Otp is Not an account and account is Not a key. Most blockchain key/account structure is really counter-intuitive and wrongly-designed as a financial service.
“If you lost your private key, it is your fault. Be responsible.” - this is very irresponsible design of a system. It is a flaw and we should try our best to allow users become “irresponsible”(at least much less responsible) about his/her private key management. It is the responsible system for users.