Reported on the mailing list. OP tried to set the 'confirm' flag for an
authentication key on an OpenPGP card in the sshcontrol file.
Digging into the code revealed that the key on the card is always prepended to
the keys listed in sshcontrol, and no deduplication/merging is done due to the
streaming programming model.