To your alternative approaches I would also add Bruce Schneier’s advice in Cryptographic Engineering, where he talks a little about the human element in dealing with clients. It’s similar to the Socratic approach, in that you ask about a possible flaw rather than argue it exists.
Bad: “that doesn’t work. Someone can just replay the messages.”
Good: “what defenses does this system have against replay attacks?”
To your alternative approaches I would also add Bruce Schneier’s advice in Cryptographic Engineering, where he talks a little about the human element in dealing with clients. It’s similar to the Socratic approach, in that you ask about a possible flaw rather than argue it exists.
Bad: “that doesn’t work. Someone can just replay the messages.”
Good: “what defenses does this system have against replay attacks?”