Here are the questions I administered as the exercise for my XML Summer School lecture on federated identity. My comments on how they went over, and other comments based on our phone conversation today, are in [brackets]. [We need to add an introductory paragraph that explains what we're trying to accomplish here, something like: The Concordia group is examining the needs of enterprise and consumer application development organizations when it comes to "outsourcing" the provisioning of important user identity data to other applications or services, and having the necessary degree of confidence that this data is accurate and current. In federated identity, this sort of outsourcing is called "attribute exchange". We invite you to fill out the survey to help us work within the identity community to address your needs better.] [We need to add a maximum of 5 demographic "establishment questions" that we can use on all future surveys, as well as allow people to optionally give us their name, email, and permission to contact them for further in-depth inquiries. I think we should assign this one to Ari. :-)] Thinking about identity data used in your applications for authorisation or personalisation, for each identity data item: What is the nature of the data? [People asked for clarification. What I meant, in brute-force fashion, was "What is the data item?" E.g., blood type, home address, etc.?] What is the nature and role of the application in your organisation? [People asked for clarification. What I meant, in brute-force fashion, was "What does the application do?"] What effect does the data have on application behavior? [E.g., does it control authorization? does it personalize the app? etc.] What are the consequences if the data is incorrect? [e.g., spoiled user experience, incorrect diagnosis, death??] What party is truly authoritative for that data? [In brute-force fashion: Who has the responsibility for providing the data item? Who has the least incentive to lie about it? Who has the most incentive to get it right?...] Is there a role for self-assertion or self-service in data provisioning and updating? [This is phrased in a somewhat geeky fashion. In brute-force fashion: Do the people about whom the data item have the opportunity to set and update its value themselves?] If you are not the authoritative party, how and how often do you get the data today? [This is really batch vs. run-time provisioning. Also, note that I asked "if you are not the authoritative party" because I was asking a roomful of people, who may not be RPs today, to fill out the questionnaire.] What is your business relationship with the authoritative party? What is your remediation strategy and workflow for incorrect data? [This is phrased in stilted fashion, but isn't truly geeky.] [On the call we agreed we need a final question, something like: What questions should we have asked you to get to the root of your issues around confidence in outsourced data? What other comments can you share with us?] Eve Maler eve@xmlgrrl.com http://www.xmlgrrl.com/blog