Fortinet 294 FortiWeb 5.0 Patch 6 Administration Guide
Figure 39:Bilateral authentication
PKI authentication relies on these factors to strongly confirm identity:
•Sole private key possession — Like with all X.509 certificates, a client’s identity can only
be irrefutably confirmed if no one else except that person has that certificate’s private key.
The private key is a randomized string of text that has a hard-to-guess relationship with its
corresponding public key. As such, it features cryptographic protection that passwords lack:
passwords do not necessarily have a verifiable, computable relationship with anything.
However, like a password, a private key’s strength depends on it remaining a secret.
Provide the client’s private keys only to that specific client, and transmit and store any backups
securely, just as you would for passwords. Failure to store them securely and restrict the private
key solely to its intended end-user could allow others to authenticate as that person,
compromising the security of your web sites. (i.e., It damages the property of non-repudiation.)
In the event of potential private key compromise, immediately revoke the corresponding
personal certificate. See “Revoking certificates” on page 318.