People have also suggested using the Photuris protocol that is part of the IP Security work being done at IETF (ftp://www.cnri.reston.va.us/internet-drafts/draft-ietf-ipsec-photuris-02.txt). The basic idea behind the protocol goes roughly like this: 1. Exchange session keys using Diffie-Hellman 2. Each side sends a signature of the Diffie-Hellman exchange (the signature can be with any of a number of algorithms; RSA and Elliptic Curve systems have been defined). If this were adapted to ssh, the protocol would look roughly like this: 1. Exchange session keys using Diffie-Hellman 2. Each side sends a signature of the Diffie-Hellman exchange by its host key 3. RSA and Rhosts authentication requests would include a signature by the requesting key. This would get rid of the server key and the need to regenerate it, because the diffie-hellman exchange already prevents decrypting old conversations. The challenge-dialogs could be avoided (unless they are needed for performance reasons to avoid unnecessary signature computations). One could also eliminate RSA in future and start using some other public key cryptosystem if desired. The Diffie-Hellman patent and the generic public key patent expire in 1997; the RSA-patent does not expire until about year 2000. Anyway, this would be a major change that probably cannot easily be made compatibly. Maybe an incompatible ssh-2.x? Anyway, I don't want to rush into making major changes in the protocol. I would very much like to hear comments on this approach. Tatu