Hosting a party on multiple participants

I have 3 participants. Every time I need to onboard a new external party I need all 3 participants to sign and submit the partyToParticipant topology transaction.

The question is if I set up the same key restricted to the same topology mapping use on all 3 participants. See:

docs.digitalasset.com

Namespace - Restrict key usage — Digital Asset’s platform documentation

This page explains how to limit the usage of cryptographic keys of a Canton node to specific purposes, as best practice to contain damage of potentially compromised keys.

Could I then use that key to submit a single topology transaction to add that party to the mapping for all 3 participants.

It should work. What you probably want is to create a new intermediate namespace key externally, and delegate to it from all three nodes with the PARTY_TO_PARTICIPANT mapping restriction as documented here: Namespace Key Management — Digital Asset’s platform documentation

The risk here is that that intermediate key could also unhost parties from the participants. So that key can do damage.