[alupo]

Concatenating the two usernames is done afterwards to compute the peering (localisation digest). The tracker is not added to the usernames because it should be easy to change trackers without resetting your contacts. The tracker is not really part of your identity like the domain of an email, it's more like a temporary address where your friends know they can reach you.

However, I'm aware of the specific collision issue you highlight. Actually, you must not use twice the same secret for two different contacts (for obvious reasons, since if one of the contacts is somewhat malicious it could guess it and impersonate you by connecting to the other one). Just like passwords, you should never use the same twice. So your example is actually very bad practice for the thrid party.

We don't want to avoid asymmetric cryptography, we want to avoid using a public key system. If you want to use public keys, Retroshare is a pretty good app. The problem is, non-tech people tend to freak out when confronted to public keys, so we wanted something very simple to understand and use.