Tumbleweed Validation Authority secures FIPS 201 certification

Certification Allows Federal Agencies to Leverage Tumbleweed’s Experience in Deploying PKI Validation Solutions within the U.S. DoD and Intelligence Communities

Redwood City, CA – September 27, 2006 – Tumbleweed® Communications Corp. (NASDAQ:TMWD), a leading provider of email security, file transfer security, and identity validation software and appliances, today announced that the U.S. General Services Administration (GSA) has certified the Tumbleweed Validation Authority™ as a compliant certificate validation solution meeting requirements for validating digital certificates embedded in Personal Identity Verification (PIV) cards of Federal employees and contractors.  Based on widely adopted open standards and technologies, including the Online Certificate Status Protocol (OCSP, RFC 2560), the Tumbleweed Validation Authority validates the status of digital certificates in real time, ensuring that revoked credentials cannot be used for smart card login, secure email, web access, wireless, VPN, or other electronic transactions. 

The certification qualifies Tumbleweed’s public key infrastructure (PKI) validation software and appliances for any Federal agency seeking compliance with Homeland Security Presidential Directive 12 (HSPD-12) and the Federal Information Processing Standard 201 (FIPS 201).  HSPD-12 mandates that on October 27, 2006, Federal agencies must start issuing FIPS 201 compliant common identification cards (smart cards) for controlling physical and logical access to government facilities and information systems.  The government will eventually roll out the smart cards to millions of Federal employees and contractors, and FIPS 201 requires that each card must contain a unique credential number, a digital certificate and an expiration date. 

 “GSA’s FIPS 201 approval of the Tumbleweed Validation Authority certifies that our product meets Federal PIV requirements for functionality and government-wide interoperability, providing Federal agencies with the flexibility to deploy a single infrastructure capable of multiple validation protocols in both enterprise and Federal Bridge-enabled environments,” said Ann Smith, Vice President of Federal Sales for Tumbleweed.  “Functionality, flexibility, and interoperability are key factors for agencies to keep in mind as they seek to satisfy current needs and anticipate future requirements relevant to HSPD-12/FIPS 201 compliant solutions.  This is especially true for agencies that will need to support trusted relationships with external, cross-certified PKIs.”

When a government or contractor employee uses the smart card to access a Federal information system or facility, the Tumbleweed Validation Authority enables FIPS 201 mandated digital certificate validation via OCSP in a process that is instantaneous and completely transparent to the end user.  The Tumbleweed Validation Authority also meets the GSA’s requirements for Delegated Path Discovery and Validation, enhancing validation services for cross-certified entities. 

Recently, Tumbleweed authorized reseller, Operational Resource Consultants (ORC), a leading provider of PKI authentication services, was granted certification as an HSPD-12 Shared Service Provider (SSP), utilizing the Tumbleweed Validation Authority to provide validation services for its Federal customers. 

The Tumbleweed Validation Authority is the most widely deployed identity validation solution within U.S. Department of Defense (DoD) and Intelligence communities, offering critical infrastructure and identity protection in demanding environments.  The product suite also features a broad portfolio of independent third party evaluations and certifications, including Common Criteria Evaluation Assurance Level (EAL) 3 certification, based on one of the strongest protection profiles for PKI products.

The FIPS 201 certification extends to the following components of the Tumbleweed Validation Authority product suite:

• Tumbleweed Validation Authority (VA Server) – A FIPS 140-2 high-performance multi-platform solution to process client digital certificate status queries using a number of different protocols including OCSP, SCVP, and VA certificate revocation lists (CRL).  The platform also includes the Tumbleweed Valicert VA Repeater, available as software or as a hardware appliance.  The VA Repeater Appliance solution offers a secure, hardened Linux-based platform, with Tumbleweed's Repeater Server software to provide a drop-in solution for deploying a high-scale, high-reliability digital certificate infrastructure for distributed hosted computing environments
• Server Validator – A flexible plug-in application for enabling digital certificate validation in the most widely used secure Web servers and Web application servers available on UNIX, Linux, Windows, and Apple server platforms
• Desktop Validator (Standard and Enterprise) – Flexible client solutions for enabling Microsoft Windows based desktop and server applications to validate digital certificates via the Microsoft Cryptographic API (CAPI).  Includes support  for automatically deploying and configuring Desktop Validator plug-ins for ease of large-scale deployment

SAFE HARBOR STATEMENT
Tumbleweed cautions that forward-looking statements contained in this press release are based on plans and expectations as of the date of the press release, and that a number of factors could cause the actual results to differ materially from the guidance given at this time.  These factors are described in the Safe Harbor statement below.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the functionality and performance of the products in the Tumbleweed Validation Authority product suite, as well as the continued compliance of such products with requirements such as those relevant to HSPD-12 or FIPS.  In some cases, forward-looking statements can be identified by terminology such as “may,” “will,” “should,” “potential,” “continue,” “expects,” “anticipates,” “intends,” “plans,” “believes,” “estimates,” and similar expressions.  For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed’s Form 10-K filed March 16, 2006 and Form 10-Q filed August 8, 2006.

Tumbleweed assumes no obligation to update information contained in this press release.  Although this release may remain available on Tumbleweed’s website or elsewhere, its continued availability does not indicate that Tumbleweed is reaffirming or confirming any of the information contained herein.

About Tumbleweed Validation Authority
Tumbleweed Validation Authority (VA) (formerly known as Valicert Validation Authority), the leading identity validation solution, enables banks, governments, and businesses worldwide to secure highly valued and trusted transactions, ranging from corporate network access to multi-million dollar electronic transactions to physical access of military facilities. VA is a fourth-generation product line, offering a comprehensive, scalable, and reliable framework for real-time validation of digital certificates, based on numerous well-accepted international security standards and open technologies. VA is Certificate Authority neutral, FIPS 140-1, DOD JITC, Identrust, and Common Criteria compliant, as well as part of the Identrust, SWIFT Trust Act, BACS and Global Trust Authority financial trust infrastructures. VA has been deployed by hundreds of customers worldwide for over ten years, including the U.S. Department of Defense and all branches of the U.S. military which utilize VA to check the status of more than 3.5 million Common Access Cards used to secure system and network access, email, and other mission-critical resources.

About Tumbleweed Communications Corp.
Tumbleweed provides security solutions for email protection, file transfers, and identity validation that allow organizations to safely conduct business over the Internet. Tumbleweed offers these solutions in three comprehensive product suites: MailGate®, SecureTransport™, and Validation Authority™. MailGate provides protection against spam, viruses, and attacks, and enables policy-based message filtering, encryption, and routing. SecureTransport enables business to safely exchange large files and transactions without proprietary software.  Validation Authority is the world-leading solution for determining the validity of digital certificates.  Tumbleweed’s enterprise and government customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), St. Luke’s Episcopal Healthcare System, the U.S. Food and Drug Administration, the U.S. Department of Defense, and all four branches of the U.S. Armed Forces. Tumbleweed was founded in 1993 and is headquartered in Redwood City, Calif. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

Tumbleweed, the Arrows logo, MailGate, SecureTransport, Tumbleweed Validation Authority and Validation Authority are either registered trademarks or trademarks of Tumbleweed Communications Corp. in the United States and/or other countries.  All other trademarks are the property of their respective owners.

###