Because of the case for absolute simplicity, I think if anything, - it might even make sense to remove the TOFU and make ssh even less user friendly; requiring the + it might even make sense to remove the TOFU and make the ssh client even less user friendly; requiring the expected host key to be passed in on every command would dramatically increase the security of real-world SSH usage. - This might already be possible with SSH client configuration. + This might already be possible with a custom SSH client configuration. In order to make it more human-friendly again while keeping the security benefits, we can create a new layer of abstraction on top of SSH, create regime-specific automation & wrapper scripts.