This is a deep question. Aside from implementation issues, it can be restated:

How do I exchange encryption keys oven an untrusted channel?

There is a lot of information out there. 'Certificate Authority' is one solution, 'Ring of Trust' is another. Self-certification is possible if you have an account on a host trusted by the target. Try "key exchange" trust.

After Compline,
Zaxo