Supports multiparty OTR, etc.
Server doesn't see message contents. Ephemeral key exchange via OTR (hence supports perfect forward secrecy), though of course there's always the problem of trusting the fingerprint, i.e. someone (e.g. the server) can just MitM the whole thing.
So ideally, one should verify the OTR fingerprints of the other parties via some secondary channel.
You can also run the server on your own infrastructure.
> key exchange can be done with RSA
any particular reason for RSA, and not ECDH key exchange?
errata: mpOTR (as implemented by cryptocat) does not seem to support PFS right now, which is quite a big deal.