Right now, a user, whose ID was downloaded from the vault by an vault administrator or auditor (in general: another user entity than the user) is not notified about it.I think a user should be notified if a copy of his/her user ID (for which in most cases he/she is responsible for).
Subject: Unfortunately, different organizations have different requirements in that area
I would personally agree with you, but some others have made strong cases for the need to extract an ID file without the end user noticing.
One idea that has been proposed for a future release would be crippling ID files extracted through the “auditor” role in some fashion to prevent them from being used for signing. Would this fulfill the spirit of your suggestion?
Subject: ID Vault: In Germany you might get problems with that
As far as I know it might be illegal (at least in Germany [BDSG, TKG, etc…]) to download an information that is property of a person without notifying him/her and without his/her agreement.I doubt that an employee council (“Betriebsrat”) would agree to the use of such option.
If I would be accused that I have done something - i.e. sending a mail to my CEO wishing him to hell - I would just said “It cannot be guaranteed that my ID is safe from abuse and can only be used by myself, therefore Authenticity and Non-Repudiation is not guaranteed”. Than, you got a problem to proove that someone has done something bulletproven.
OK, Americans have no problems with privacy, but in Europe and especially in Germany, privacy is handled much more restrictive.
I would opt for an optional notification at least.