Hi,<br>I am a new OTR user and have shared it with a few of my privacy conscious friends. Overall, getting it going using Pidgin has been an extremely smooth experience, but one hiccup has been explaining authentication. The two people I use OTR with now are 'authenticated', but only in that we have confirmed each others' keys (advanced > [I Have] ...); when I mentioned authenticating using some secret that we both know, like the name of a place that fits some description, they became confused. If privacy conscious hackers don't understand without reading a lot of documentation, I think there is a weakness in usability.
<br><br>For my friends, they just 'knew' at the time that they were talking to me, so authenticating using a shared secret was not something that they cared to investigate further. Confirming the key was 'good enough' to make the icon say "OTR: Private". If authentication were more streamlined and explained in the GUI (smaller learning curve), chances are we would have used a shared secret. It may seem like a pebkac issue, but really if the goal is to get people to take full advantage of OTR it needs to be addressed.
<br><br>My initial thoughts are to make sort of a wizard that runs each time OTR is used with an unverified client. Prompt the person initiating the conversation to enter some text that the other person can derive the shared secret from, for example "The name of the place we spilled the iced tea all over the waiter", and the receiver would then be prompted for the shared secret when they receive the message. For usability sake, I also think it would also be beneficial to give the option to ignore case/space/punctuation in the answer (convert secret to lower case, eliminate spaces and punctuation).
<br><br>Thoughts?<br><br><br>