Agreed that option 2 would be expedient but it's also the least flexible. That is, if it's defined as prompting the user for an alphanumeric value, that's all it can do. It can't collect signatures, identifiers from a fingerprint app, etc. Similarly, once it's decided that it tracks username and comment, that's all it can do. With some of the other options, the form designer could choose to do things like require comments on certain fields.
That sounds right.
Agreed that the goal is to get a user identifier written to the audit log. A question underlying the various options I've provided is how much flexibility to give the form designer to achieve that. We have this wonderful, flexible tool for defining data capture (XForms) and it feels unfortunate to go completely outside of that.
I agree this is appealing. It would require all clients to have the notion of a session and of users logging in and out which I don't think any do at the moment. This needs to happen offline so using a remote server for identity confirmation is not an option.
Exactly, it is per-instance and uses the same machinery as upload. More in the spec.