the keys are fine.  as things stand, though, unless i've missed
something, you'll need an auth server that takes its root from kfs,
because if a cpu server takes its root only from a file server, 9/boot
expects factotum to authenticate for it, and normal factotum expects
an authentication server to make the tickets for it.

(i've temporarily got an abnormal factotum that can make its
own ticket for a server if the auth server isn't there yet.)