EU regulations conformance

[mropert]

Hello,

Could you tell me if cla-assistant is conform to the EU eIDAS regulation on digital signatures?
In particular, I'm interested to know if it meets either the "simple", "advanced" or "qualified" criteria.

Thanks!

[thojansen]

Hi there, good question. We have not done any qualifications/ certifications w.r.t. eIDAS or s.th. similar. As we rely on GitHub as a identity provider, they would also be part of that I guess. Is this a requirement for you? Any further hints/ pointers?

[mropert]

As a french company, we need the CLA signing process to conform to the french law which is governed by EU eIDAS regulations.
There are 3 levels are guarantee (simple, advanced and qualified) with various requirements.
In the case of CLA I think "simple" (or "low") would be acceptable but it still requires to be able to prove the identity of the signatory and the authenticity of the record.
In our case I suppose that would mean that the record cla-assistant saves must include some cryptographic proof that the record is genuine (like signing with a private key belonging to the user account).

[thojansen]

This is where we follow the same flow as all other GitHub applications. We use oauth to obtain a user token and that token is used for authentication and the proof for that specific identity. I am wondering if we automatically reach the first stage by implementing server-side oauth. I will reach out to a few colleagues internally and try to get some more information on that topic.

[thojansen]

Ok. Right now we cannot judge the relevance of eIDAS and if it is applicable for CLA assistant. We can answer technical questions on how user authentication and such are performed, but cannot guarantee any conformance with that regulation.