Comment by brabel
1 day ago
Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services.
1 day ago
Some other comments mention BankID private keys . That would be the biggest disaster as that’s what everyone uses to identify themselves “securely” on all government services.
The private keys in BankID are stored in users phones, not centrally.
Well doesn’t Relying Parties using the BankID API for signatures and authentication have private keys to start the flows for users scanning QR codes etc?
Could you, having the right private keys, impersonate some company soliciting a BankID signature?
I’m not sure what you can do with that though. You cannot steal some other ongoing signature I guess.
You can start a signing process saying you are who ever owned that certificate. E.g. if you call someone. You can not use those signatures to gain access, and it is rather in phishing.