So I'm assuming the way to handle SSH public keys in Windows is sign them with a CA, feels like a missed opportunity to not involve AD more into this; stick keys under a user attribute so something like that