Hello, I think that I've found an easy way to distribute the public keys: put them into DNS. The records would look like: <entity-name> IN PKEY <key-type>:<key-value> for example: babkin.-at-.bellatlantic.net IN PKEY "ssh1:1024 37 1550134074134018781239180842531603373454309268407729175684597284860789522776765036113307635696866211228019143858148231273490 040923224920369195137540343909305234827187088861055260339103636904616201228905551802270012860844892213877621509748539922264245295221 03235374785283586385586920281234566901122551897435633" (I'm not quite sure yet if the values can be in quotes and if the spaces and other funny characters are allowed - but such things are solvable by some sort of escape sequences). To allow changing the keys without disruption, allow multiple PKEY records for an entity, and accept a match to any of them. Of course it would be only as secure as difficult it is to spoof DNS, so you probably won't want to use it for login information. But it's still adequate for less demanding application, such as signing e-mail or establishing the identity of the SMTP servers. -SB