Tumbleweed Server Validator increases platform support for SSL-enabled applications

Most widely-deployed DoD validation solution now offers broadest web application support; Unparalleled secure access to newest web service applications through NIST-certified Path Validation support

Redwood City, Calif. - May 22, 2007 – Tumbleweed® Communications Corp. (Nasdaq: TMWD), the industry's leading pure play messaging security vendor, today announced it has updated its Server Validator™ solution to further support the latest SSL-enabled applications.  As a result, Server Validator now offers the industry’s broadest support of digital certificate validation for web servers and applications.

Tumbleweed’s Server Validator protects against unauthorized access by enforcing strong user authentication for the latest versions of mission-critical web service applications via X.509 identity certificates.  With this release, Server Validator has extended support to the latest versions of validation-enabled applications including Oracle Application Server, Lotus Domino Server, BEA WebLogic, along with the most current versions of Apache and Sun ONE web server.

“With these enhancements, our customers get an even more mature version of a PKI-enabled product that focuses on ease-of-use and streamlining operational aspects for validating the digital certificates associated with commonly deployed web applications,” said Taher Elgamal, chief technology officer at Tumbleweed.  “This innovation furthers our technological advantage over competitors, as we offer the most mature SSL-based validation plug-in with the broadest platform support in the market.”

Server Validator ensures the authentication of X.509 certificates in SSL-based communication, confirming they are trustworthy and have not been revoked or suspended.  Tumbleweed’s Server Validator solution is the only SSL validation product on the market today to earn FIPS 140 certification, utilizing a NIST FIPS 140-2 Validated Cryptographic Module.

Server Validator now offers enhanced configuration flexibility to improve validation services for any PKI. This flexibility lets administrators configure certification authority (CA) specific validation mechanisms using multiple validation including OCSP, SCVP, VACRL; in addition to support for CRL and CRLDP.

The Tumbleweed Validation Authority® Suite of products validates the status of digital certificates in real time using a variety of protocols including OCSP and SCVP, ensuring that revoked credentials can not be used for secure emails, smart card login, web access, wireless, VPN, or other electronic transactions that may compromise mission-critical infrastructure.

The Validation Authority solution is a comprehensive, scalable, and reliable framework deployed by millions of customers worldwide to provide digital certificate validation on a wide range of platforms in diverse operating environments. Government agencies, including all four services of the U.S. Department of Defense (DoD), have deployed Tumbleweed’s solutions enterprise-wide to provide digital certificate validation to its millions of users.  Tumbleweed’s adherence to open standards has benefited the entire DoD community, making it the most widely-deployed validation solution in the marketplace.

About Tumbleweed Validation Authority
Tumbleweed Validation Authority (VA), the industry’s most widely deployed identity validation solution, enables banks, governments, and businesses worldwide to secure highly valued and trusted transactions, ranging from corporate network access to multi-million dollar electronic transactions to physical access of military facilities. VA is a fourth-generation product line, offering a comprehensive, scalable, and reliable framework for real-time validation of digital certificates, based on numerous well-accepted international security standards and open technologies. VA is Certificate Authority neutral, and certified FIPS 140-2, FIPS 201, DoD JITC, NIST PDVAL, Entrust Ready, IdenTrust and Common Criteria compliant, as well as part of the IdenTrust, SWIFT Trust Act, BACS and Global Trust Authority financial trust infrastructures.  VA has been deployed by millions of customers worldwide for over 8 years, including the U.S. Department of Defense and all branches of the U.S. military which utilize VA to check the status of more than 3.5 million Common Access Cards used to secure system and network access, email, and other mission-critical resources.

SAFE HARBOR STATEMENT
Tumbleweed cautions that forward-looking statements contained in this press release are based on current plans and expectations as of the date of this press release, and that a number of factors could cause the actual results to differ materially from the guidance given at this time. These factors are described in the Safe Harbor statement below.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the functionality, interoperability and performance of the products in the Tumbleweed Validation Authority product suite.  In some cases, forward-looking statements can be identified by terminology such as “may,” “will,” “should,” “potential,” “continue,” “expects,” “anticipates,” “intends,” “plans,” “believes,” “estimates,” and similar expressions.  For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed’s Form 10-K filed March 14, 2007 and Form 10-Q filed May 10, 2007.

Tumbleweed assumes no obligation to update information contained in this press release. Although this release may remain available on Tumbleweed’s website or elsewhere, its continued availability does not indicate that Tumbleweed is reaffirming or confirming any of the information contained herein.

About Tumbleweed
Tumbleweed Communications Corp.(NASDAQ:TMWD), the industry’s leading pure play messaging security vendor, provides world-class innovative messaging security solutions for organizations of all sizes.  Organizations rely on Tumbleweed's solutions to securely manage their Internet communications, spanning email management to file transfers. Tumbleweed has more than 2,400 customers worldwide, representing industries such as Finance, Healthcare, and the U.S. Government. The world’s most security conscious organizations rely upon Tumbleweed technology including Bank of America Securities, JP Morgan Chase & Co., the U.S. Food and Drug Administration, and the U.S. Department of Defense. Our award-winning products build on fourteen years of R&D and 26 security patents in the U.S. alone – many of which are licensed by other security vendors. More information can be found at www.tumbleweed.com.

Tumbleweed, the Arrows logo, Tumbleweed Validation Authority, Validation Authority and Server Validator are either registered trademarks or trademarks of Tumbleweed Communications Corp. in the United States and/or other countries. All other trademarks are the property of their respective owners.

# # #