There's a small cluster of related work building up on SSH keys:
See PHI135. See T13006. We don't validate that private keys in Passphrase are really usable private keys.
See PHI500. We don't validate that public keys in Auth are really usable public keys.
See PHI269. An install would like @cert-authority support, although this potentially makes key revocation complicated.