This is a feature request for in-band transmission of OpenPGP certificates for OpenSSH hosts. I propose adding a new HostKeyAlgorithm `openpgp-ed25519-cert@monkeysphere.info`, which transmits that same public key material, wrapped in OpenPGP key material to the client. The first step of the implementation would just be server-side: if the client states a preference for that algorithm, and sshd knows of a `HostKey` named `$FOO` that contains an ed25519 secretkey, and `$FOO.pgp` exists, then `sshd` should just send the content of `$FOO.pgp` over the wire, while working with the secret key found in `$FOO`. This permits the host to send in-band OpenPGP-style certificates, without `sshd` needing to know anything about the format. The second step toward making this useful in an OpenSSH-on-both-endpoints ecosystem would be client-side, something like the `KnownHostsCommand` request from bug 1777; i'll defer that discussion over there.
We don't want to support another certificate algorithm with the requisite additional attack surface and additional, significantly different semantics to OpenSSH's existing key/cert methods, sorry.
closing resolved bugs as of 8.6p1 release