You may now specify CriticalOptions in sign_certd's config on a
per-environment basis. This allows you to write a policy that says all
certs against this environment will have exactly these critical options.
You can ensure that certs always launch users into restricted shells or
from a defined range of source IPs as supported by sshd.