Comment by lxgr

> this sounds like it should either be a fundamental part of the protocol if it does get implemented.

You can do what the original OTR protocol did, i.e. "publish" previous authentication keys as soon as new ones superseding them are available.

But that's conceptually less elegant than what e.g. Signal does (which is to never even have non-repudiable keys available through their triple DH handshake construction, if I understand it correctly):

https://signal.org/blog/simplifying-otr-deniability/