On https://github.com/jlmucb/cloudproxy/blob/master/go/tao/auth/ast.go#L110 it is stated that Key might be a DER-encoded X.509 certificate. Why not just a DER-encoded SubjectPublicKeyInfo? Done: jlm