Problem: new hosts, or re-imaged hosts, have new SSH host keys, which need to be communicated securely to all relevant people. We have the wmf-utils repository, which has a script to update the user's known hosts file, by running ssh-keyscan on a trusted host. However, that doesn't cover (some?) WMCS hosts. For those there is a wiki page. These are not entirely satisfactory solutions.
SSH supports, since many years, host key certificates: special Certificate Authority keys that can sign host keys. If a server's host key is signed by a CA key, and client is configured to trust that key, the client will automatically trust the host key. This way, only the CA public key needs to be communicated to each user, which is a much smaller hurdle.
Would SRE and WMCS be willing to implement an SSH CA for host keys?
SSH CA can also be used to certify user keys. I'm only asking for host keys here.
(Adding tags as I understand them. Please adjust if I get them wrong. SRE, WMCS added since this would need to be done by them; RelEng because they are affected by host keys every so often; security as I assume they'll want to have a say.)