Suggestion mentioned on IRC: have all the host keys signed so that we can just approve the ca pubkey and be confident connecting to ring nodes without host key prompts