Given a sufficiently-modern SPKAC (provided you're not using one with
an outdated/broken message digest), you can have go validate the
signature on it, so this gives us that capability.
The main annoyance with this is that openssl can't generate these
SPKACs as far as I can tell - for testing, you have to take ones from
a source that is known to generate "good" ones.