Does the existing EBICS (OrderSignatureData) standard generate compliant QES?
For the past two years, I have been involved in a venture to build mobile signing solutions. The initial product 'Quali-Sign Banking' (QSB) is now complete (Android version) and provides corporate users with the ability to authorise their organisation's payment orders via their mobile device. The solution is aligned to eIDAS 'Qualified Electronic Signatures' (QES) and PSD2 'Strong Customer Authentication' requirements.
QSB communicates directly with banks via the EBICS protocol. QSB performs the role of an EBICS Client that connects to EBICS Servers, provided by banks. I believe EBICS to be an excellent fit for eIDAS because it mandates a high level of security and provides many standard API's to initialize and manage users, including key and certificate exchange.
The EBICS Specification (page 295) includes a future requirement to include X.509 certificate information (X509Data) within order signatures (OrderSignatureData). Currently the X509Data tag is not included.
Article 26 (b) states that an Advanced Electronic Signature must be 'capable of identifying the signatory'. This will clearly be met with the above EBICS future requirement. However the existing OrderSignatureData does identify the signatory via a PartnerId and UserId.
I would be very interested for any insight as to whether the current EBICS order signatures standard is sufficient to comply with QES requirements?