I have a general question about the way OTR authentication happens and the steps involved.
Currently, if I want to make an authenticated OTR chat session with a buddy the workflow is this:
1. I click on the locker icon (start private conversation).
2. The OTR session initiates, but a warning is presented like this:
<buddy_name> is contacting you from an unrecognized computer. You should authenticate <buddy_name>.
where [authenticate <buddy_name>] is a clickable hyperlink
3. I click on it and a dialog box appears where I have to ask my buddy a question, whose answer only he/she knows. The explanation is this:
To authenticate using a question, you should pick a question whose answer is only known to you and your buddy. Your buddy will be asked this question and if the answers don't match then you may be talking to an impostor.
The weird part for me was that I have to ask not only the question, but also provide the answer. That was strange, at first. Then I learned that the mechanism actually works like this:
I give my answer, my buddy gives their answer and if they match, the session is authenticated.
OK, fair enough, but then we face the problem where the buddy's answer needs to be a verbatim match to my answer. But suppose I ask him what school we went to as a kid. He may answer with quotes, for example. I would still accept such an answer if I see it.
Wouldn't it be better if:
1. I only had to ask my question in the 1-st place without giving any answer.
2. My buddy gives the best answer he/she can.
3. I see his/her answer and if I consider it correct, I click a button <Authenticate> (or a hyperlink, or whatever) and our secure chat session is authenticated.