What do you want to protect against precisely? "Key misuse" as in it signed a blob it shouldn't have signed?