[OTR-dev] session termination

[Ian Goldberg]

One problem with dropping to FINISHED when you notice the other side
goes offline is that that notification is unauthenticated.  An adversary
can trivially spoof a "Bob went offline" message, and it would be
unfortunate if that caused Alice to forget her session keys.

I also note that most IM networks, I'm pretty sure, don't tell Alice
when Bob goes offline if Bob isn't Alice's buddy, but I don't know how
often people chat with non-buddies in practice.

   - Ian