Anyway, the upshot is that a Station To Station protocol is developed and discussed which is based on the original D-H system.
The STS protocol is a regular D-H followed by a (delicately designed) exchange of signatures on the key exchange parameters. The signatures in the second exchange that they can't be separated from the original parameters.
Damn, I don't have the paper which me, so I'm not sure whether third party certification is needed.
There is a digital signature required, so what is at root required is a trusted public key of the other party. One can use a certificate to establish this trust and transmit it at session time, but any other method of communicating a public key will work, include a trusted web of trust or direct previous transmission. STS is a well-thought out protocol, with many subtleties already arranged for. For the issue at hand, though, which is Ethernet sniffing, it's authentication aspects are not required now, even though they certainly will be in the near future. Eric