diff --git a/hkexnet/hkexnet.go b/hkexnet/hkexnet.go
index 1d146bc..4337502 100644
--- a/hkexnet/hkexnet.go
+++ b/hkexnet/hkexnet.go
@@ -16,6 +16,12 @@ package hkexnet
 // prefix the channel setup with this param over the wire in order to decide
 // which is in use.
 //
+// DESIGN PRINCIPLE: There shall be no protocol features which enable
+// downgrade attacks. The server shall have final authority to accept or
+// reject any and all proposed KEx and connection parameters proposed by
+// clients at setup. Action on denial shall be a simple server disconnect
+// with possibly a status code sent so client can determine why connection
+// was denied (compare to how failed auth is communicated to client).
 
 // Implementation of HKEx-wrapped versions of the golang standard
 // net package interfaces, allowing clients and servers to simply replace
diff --git a/hkexsh/hkexsh.go b/hkexsh/hkexsh.go
index d8030da..6562e0c 100755
--- a/hkexsh/hkexsh.go
+++ b/hkexsh/hkexsh.go
@@ -318,7 +318,7 @@ func rejectUserMsg() string {
 // connection (app-specific, passed through to the server to use or
 // ignore at its discretion).
 func main() {
-	version := "0.1pre (NO WARRANTY)"
+	version := "0.2pre (NO WARRANTY)"
 	var vopt bool
 	var dbg bool
 	var shellMode bool // if true act as shell, else file copier
diff --git a/hkexshd/hkexshd.go b/hkexshd/hkexshd.go
index a625d53..20ac792 100755
--- a/hkexshd/hkexshd.go
+++ b/hkexshd/hkexshd.go
@@ -317,7 +317,7 @@ func runShellAs(who, ttype string, cmd string, interactive bool, conn hkexnet.Co
 // Listener and Conns. The KEx and encrypt/decrypt is done within the type.
 // Compare to 'serverp.go' in this directory to see the equivalence.
 func main() {
-	version := "0.1pre (NO WARRANTY)"
+	version := "0.2pre (NO WARRANTY)"
 	var vopt bool
 	var chaffEnabled bool
 	var chaffFreqMin uint