Security

Comments

5 comments posted
#1

Security is a huge concern. No problem raising this as an issue as long as we can work towards a resolution.

There are actually two types of information that we can display:

  • boat information
    • sail number
    • manufacturer
    • boat information/description
    • location
    • owner
    • etc
  • owner information
    • first/last name
    • address
    • email address
    • phone number
    • etc

I would expect that the boat information, since it can be gathered from any Regatta Results, be public. This should also be very similar to the information that was available through the previous version of the Albacore Registry.

If you look at the attachments in post #6 in #1850: Table should be like CAA Handbook, members' phone numbers were published in the CAA Handbook.

I do, however, believe that the members'/owners' information should best be viewed securely by logged in users (not necessarily members). The display of members' information also needs to respect the Account Privacy settings.

That is why I don't like the Table View. It displays the Boats and Owner's information as it did in the CAA Handbook. The preference is to use the Latest View (Home) as it only uses the Owner's First and Last Name. The location is actually the Boat Location (City) that is entered and not the location of the Owner.

Posted by waverate on Fri, 12/17/2010 - 13:24
#2

To go forward, it is paramount that the web application be secure enough (or at least give the impression that it is secure enough) for Boat Owner's to post their boats and provide information that is useful to other Boat Owners.

If we treat users as:

  • Public / Anonymous - those that have not logged in, and
  • Private / Authenticated - those that have logged in (but not necessarily members of an NA)

Can we determine what information is acceptable to make available to each group?

To use Latest View as an example and your original post, you are proposing:

  • Nationality - public
  • Sail Number - public
  • Year - public
  • Manufacturer - public
  • Material - public
  • Boat Name - public
  • Does the Boat have photos icon - private
  • Location (from Boat Information) - public
  • Owner's Name (First and Last) - private
  • Last Updated - public

Instead of the Owner's Name, could we use the Username instead?

Posted by waverate on Fri, 12/17/2010 - 13:30
#3

That Sums it up.

Posted by JimE1 on Fri, 12/17/2010 - 14:41
#4
Status:active» needs work

I'm okay with the "latest view" display, however....

I think it would be somewhat better to follow the scheme in post #2 on this topic, which has the Owner's Name "private". Anyone with a keen interest need only make an authenticated log-in to see the additional information. This gives a bit of protection from some casual viewer or a robot.

I would not like to require membership in an association to get access to the private information.

Posted by Peter Duncan on Thu, 12/30/2010 - 13:25