TCS FAQ - Technical Questions

Which web browsers and other applications support TCS certificates?

One of the main motivations behind TCS is the removal of the 'pop-up' problem, whereby users visiting a website receive a warning that the site is untrusted. This is because even though HTTPS may be used to create a secure channel, it is not possible to verify that the certificate of a remote site is verified and trusted unless the root certificate of the originating CA is pre-installed in the client operating system or browser software. It is possible to manually add certificates, but this requires the user to understand the process and undertake their own verification, and there is the danger that inexperienced users may inadvertently choose to trust spoofed or fraudulent sites.

The Comodo CA root certificate used to sign TCS certificates is supported by the following applications:

  • Web Browsers (with EV support) - Apple Safari 3.2+, Google Chome 1.0+, Microsoft Internet Explorer 7.0+. Mozilla Firefox 3.0+, Opera 9.5+
  • Web Browsers (without EV support) - Apple Safari 1.2+, AOL 5.0+. Camino 1.0+, Google Chrome 1.0+, KDE Konqueror, Microsoft Internet Explorer 5.01+, Mozilla Firefox 1.0+, Netscape Communicator 4.77+, Opera 7.0+
  • E-mail Clients (S/MIME) - Apple Mail, Lotus Notes (6+), Microsoft Outlook 99+, Microsoft Outlook Express 5.0+, Microsoft Entourage, Microsoft Windows Mail 1.0+, Mozilla Thunderbird 1.0+, Qualcomm Eudora 6.2+, The Bat 1,0+
  • PDAs - ACCESS NetFront 3.4+. Apple iPhone 1.0+, KDDI Openwave v6.2.0.12+, Microsoft Windows Mobile 5.0+, Nintendo Wii, NTT DoCoMo, Opera Mini 3.0+, Opera Mobile 6.0+, RIM Blackberry v4.2.1+, Sony Playstation 3, Sony Playstation Portable
  • Applications: - Adobe AIR, Microsoft Authenticode, Microsoft Office, Microsoft Visual Basic for Applications, Mozilla Suite 1.0+, Sea Monkey, Sun Java SE 1.4.2+,

Unfortunately, the Comodo CA root is not currently pre-installed in the Symbian operating system used in many Nokia and Sony Ericsson devices. However, support can be added by downloading and installing the Comodo CA root certificate.

What domain names can be used with TCS certificates?

TCS certificates may be generally be issued for any domain in the gTLD or ccTLD hierarchies provided the requesting entity either owns or has the right to use the name. There are some restrictions on the use of domains that incorporate certain brandnames or trademarks, and participating NRENs may implement further restrictions.

Is it possible to issue TCS certificates with local or reserved DNS names?

RFC 2606 defines several top level domain names that are reserved for testing or local use, and which should be ignored by systems outside a local domain. Some CAs permit the issuing of certificates for such domains, but this is not currently permitted by TCS in accordance with its Certificate Practice Statements.

How many SANs may be specified per TCS certificate?

Subject Alternative Names (SANs) allow a list of host names to be protected by a single server certificate. This has been a part of the X.509 standard since 1999, and most web browsers and applications should support them.

Comodo allow a maximum of 100 host names to be specified in the Subject Alternative Name field of TCS Server Certificates.

Does TCS Support SHA-2?

Following announcements by Google and Microsoft regarding the phasing out of SHA-1, SHA-2 certificates can now be ordered from Comodo. SHA-2 subCAs have been rolled out corresponding to the existing SHA1 subCAs. These sub CA's use intermediate chain CA certs that are completely different from the existing chains however the root certificates, and hence the trust, has not changed.

Server and code signing certificates can be ordered as normal via Djangora or your own local portal and a choice of SHA-1 or SHA-2 can be selected. Any SHA-1 request with a duration date passed the deadline of 1st January 2017 will be automatically changed to SHA-2.

Some changes may need to be made to Confusa portals to support SHA-2 personal certificates. If you are experiencing any problems, please contact the Confusa team.

All participants are advised to only use SHA-1 for eScience certificates for now as SHA2 is not fully distributed through IGTF framework. As eScience certificates are 13 months in duration, they should expire before the cut-off date of 1st January 2017.