[fmbb]

Well doesn’t Relying Parties using the BankID API for signatures and authentication have private keys to start the flows for users scanning QR codes etc?

Could you, having the right private keys, impersonate some company soliciting a BankID signature?

I’m not sure what you can do with that though. You cannot steal some other ongoing signature I guess.

[pastage]

You can start a signing process saying you are who ever owned that certificate. E.g. if you call someone. You can not use those signatures to gain access, and it is rather in phishing.