In the CertificationParameters, when we check the key parameters we check that it's none restricted.
I'm curious about the case that after activating the AK, we need to prove that some restricted key is also in the same TPM.

https://github.com/google/go-attestation/blob/master/attest/certification.go#L146