Rather than having to remember what all the places are when rotating one's SSH keys or adding a new device, and rather than copying one SSH key around everywhere, it could be more convenient to just whitelist a SSH CA and have it sign any new keys.

This should be fairly easy to implement by making cert-authority a valid prefix of the SSH key, which is then returned by git-auth. So for example allow to set cert-authority ssh-ed25519 AbTheCAsKeyGoesHere and return it exactly like that for the AuthorizedKeysCommand.