Certificate Authentication & Clone URLs

Hi! I have a question about using SSH certificate authentication with GitHub Enterprise Cloud that I’m hoping someone can help with.

I was doing some testing and I noticed that, when I set up an SSH CA, my git clone URLs change from git@... to org-XXX@.... Presumably this is done so that GitHub’s SSH server can differentiate between a connection that should be authenticated using the normal public key mechanism vs. authenticating using SSH certificates.

However, in addition to our private repositories (which we’d like to protect using SSH certificates) we have several public repositories that we’d like anyone to be able to clone. The change described above appears to apply to both public and private repositories: when I upload an SSH CA public key, public repo clone URLs change to use the org-XXX@... URL instead of git@....

Aesthetics aside, that’s fine as long as certificate authentication is optional: non-org users are still able to clone our public repos using the org-XXX@... URL and authenticate using their normal public keys. However, if I “Require SSH Certificates” (under Organization security settings) the org-XXX@... clone URL only works with an SSH certificate. No one outside of my organization has such a certificate, but the org-XXX@... clone URL continues to be displayed even for public repositories.

The upshot is: when I require SSH certificates the clone URL displayed to non-organization users is unusable – our public repo clone URLs stop working for non-org members. There does appear be a workaround: the normal git@... clone URLs continue to work, and don’t require an SSH certificate. But there’s no way a normal GitHub user who comes across one of our public repos would know this.

Am I missing something? Is there some workaround that doesn’t involve confusing the hell out of folks who are trying to clone our open source stuff?

As it stands, the “require certificate authentication” feature is unusable for my org (and I’m guessing lots of others). And certificate authentication isn’t particularly useful as a security feature unless it’s required.

Hopefully I’m overlooking something simple. Appreciate any help!