[Psml] A response to John Bradley re: Electronic MM Submissions

[Craig McConnaughey]

> John,
>
> As a P/C, I don't think I would be too excited with someone submitting MM
> recommendations without my first reviewing and approving same.  This could
> also be said of other activities that you project will require unique
> passwords.
>
> It seems to me that if the Commander's appointees, who are performing the
> function(s), simply send the information to the Commander, he/she (the
> Commander) could (and should) review and then indicate his/her data 
> approval
> by forwarding it on to National using his/her confidential password.
>
> Too simple?  I'm not so sure. Somewhere in this line of thinking 
> (receiving,
> reviewing, authenticating, and forwarding) may be the solution for which 
> you
> are looking.
>
> P/C Craig McConnaughey
> Diablo Squadron, D-25
> Craig at McConnaughey.com
>
> -----Original Message-----
> From: psml-bounces at usps.org [mailto:psml-bounces at usps.org] On Behalf Of 
> John
> R. Bradley
> Sent: Thursday, March 08, 2007 2:26 PM
> To: r.payette at snet.net
> Cc: United States Power Squadrons Mailing List
> Subject: [Psml] Electronic Merit Mark Passwords
>
> This is a request for comments.
>
> As mentioned at the Jacksonville meeting on DB2000, we will be going live
> with electronic filing of merit marks in a few months. This electronic
> procedure will require a means of certifying that the merit mark 
> submission
> really comes from the commander or his agent.
>
> During the beta test in 2006 we took the stop gap approach of using the
> commander's master password as the certification.  For  those squadrons 
> and
> districts in which the submissions are not physically submitted by the
> commander but by an agent such as the merit mark chairman, this required 
> the
> commander to reveal his master password to someone else. Once revealed, 
> the
> person to whom it is revealed can perform any password protected function
> that would normally be restricted to the commander. Clearly not a good 
> idea.
>
> The simplest solution is to merely create another password for each 
> squadron
> and district to be used solely by the commander or his agent and only for
> the purpose of certifying merit mark submissions.  This would be a fourth
> password in addition to the existing three supplied to the commander at 
> the
> beginning of the watch year.
>
> The objection to this approach is that as we develop more and more
> facilities requiring restricted access, we will, if we follow this 
> approach,
> need to add more and more single purpose passwords.
>
> Another approach could be as follows:
>
> We provide an ability for the commander to create userIDs identified by
> their password, and allow the commander to specify what functions each
> userID can perform.  This would mean that HQ would only assign one 
> password,
> a master password to each commander.  The commander in turn, using web 
> based
> software, would be responsible for creating any additional userIDs, and
> specifying what those userIDs can do, within constraints imposed by the
> software. This would include insuring that only one ID could upload 
> changes
> to the database, etc.
>
> An objection to this approach is that it would be beyond the ability of 
> many
> commanders to create the necessary IDs.
>
> Comments please!!
>
> Stf/C John R. Bradley, SN
> Member USPS Information Technology Committee
> 60 Old Brook Road
> Dix Hills, NY 11746-6432
> (800) 777-3770 ext.203 Office
> (631) 243-5240 Home
> (631) 274-2103 FAX
> jrb at accurecord.com