Nah, given that it's you two I'm not worried. :~) And I do know your email addresses... But if you'd enjoy playing with DH don't let me stop you! Although I vaguely recall someone finding (and publishing) a flaw in their math that makes it crackable.
One of my complaints is the lack of ways to verify whether a client is who they say they are.
How do you plan to overcome such problems?
I had another reason that was better than this but I forgot what I was going to say.
I want a way to do it without user intervention, so, for example, I could make a game that finds a player and then verifies them in some way so you can play with others around the world instead of having to text your friends and ask for their passcode. Without this, someone can pretend to be a different user and spoof (for example) a username.
Why not do it the same way the web does, with async encryption?
You can use your password as the private key, and then anyone with the public key can decrypt the message, but only the person with the password can encrypt. Then, you send a randomly generated key for synchronous encryption, then you have a secure channel. (Though, man in the middle attacks can still happen.)
Following @specialred discovery of a "free" tier in their products, I'm thinking that any Snapper (as long as they can get on the site) could set up their own broker that only they could publish to certain topics but anyone else can subscribe (by setting up a public guest user/password combo with only subscribe rights)
The company is emqx.com (that provide one of the current default public broker - broker.emqx.io )
The product is their "Serverless" (I hate that word/concept nearly as much as crypto!) free tier
The one I've spun up is at x83e5931.ala.us-east-1.emqxsl.com:8084
I've set a user called guest, password guest that can subscribe to any topic (currently there is only cheerlights/# that I an publishing to)
This would completely eliminate need to exchange any passwords whatsoever
Might have to tweak the MQTT extension blocks to make sure they can fully cope with multiple brokers
yes, any snapper besides me
for some reason, when trying to authorize sub-accounts on the site, i immediately get a "Bad Request" error the second i open the page
following that error, it doesn't even let me authorize any sub-accounts anyways...
however, it's good that you got your own broker for your project
while me and codegang (unless they can do it) are stuck with one of the defaults...