Hi, > 3. That mitigation would help, but in the end it's still leaky > obfuscation of credentials + MD5-based technology that is being > formally deprecated with a mandated replacement[2], and de facto has > been for a long time. > > The real recommendation of the paper was "don't use RADIUS/UDP at > all", and I don't want to expend energy writing a RADIUS/TLS client > for a hypothetical user, so I think we should just delete it all, and > stick a deprecation notice in the release branch documentation, as > attached. That'd also mean our Windows select() and non-thread-safe > UDP kludges can be VACUUMed.
All things considered, it sounds perfectly reasonable. +1. -- Best regards, Aleksander Alekseev
