1/6/2011 Tumbleweed Validation Authority Secu…

Tumbleweed Validation Authority Secures FIPS

201 Certification.
Print

Date: Sep 27, 2006

Words: 1293
Publication: Business Wire

Certification Allows Federal Agencies to Leverage Tumbleweed's Experience in Deploying

PKI Validation Solutions within the U.S. DoD and Intelligence Communities

REDWOOD CITY, Calif. -- Tumbleweed[R] Communications Corp. (NASDAQ:TMWD), a leading

provider of email security, file transfer security, and identity validation software and appliances,
today announced that the U.S. General Services Administration (GSA) has certified the
Tumbleweed Validation Authority[TM] as a compliant certificate validation solution meeting
requirements for validating digital certificates embedded in Personal Identity Verification (PIV)
cards of Federal employees and contractors. Based on widely adopted open standards and
technologies, including the Online Certificate Status Protocol (OCSP, RFC 2560), the
Tumbleweed Validation Authority validates the status of digital certificates in real time, ensuring
that revoked credentials cannot be used for smart card login, secure email, web access,
wireless, VPN, or other electronic transactions.

The certification qualifies Tumbleweed's public key infrastructure (PKI) validation software and
appliances for any Federal agency seeking compliance with Homeland Security Presidential
Directive 12 (HSPD-12) and the Federal Information Processing Standard 201 (FIPS 201).
HSPD-12 mandates that on October 27, 2006, Federal agencies must start issuing FIPS 201
compliant common identification cards (smart cards) for controlling physical and logical access
to government facilities and information systems. The government will eventually roll out the smart
cards to millions of Federal employees and contractors, and FIPS 201 requires that each card
must contain a unique credential number, a digital certificate and an expiration date.

"GSA's FIPS 201 approval of the Tumbleweed Validation Authority certifies that our product
meets Federal PIV requirements for functionality and government-wide interoperability, providing
Federal agencies with the flexibility to deploy a single infrastructure capable of multiple validation
protocols in both enterprise and Federal Bridge-enabled environments," said Ann Smith, Vice
President of Federal Sales for Tumbleweed. "Functionality, flexibility, and interoperability are key
factors for agencies to keep in mind as they seek to satisfy current needs and anticipate future
requirements relevant to HSPD-12/FIPS 201 compliant solutions. This is especially true for
agencies that will need to support trusted relationships with external, cross-certified PKIs."

When a government or contractor employee uses the smart card to access a Federal information
system or facility, the Tumbleweed Validation Authority enables FIPS 201 mandated digital
certificate validation via OCSP in a process that is instantaneous and completely transparent to
the end user. The Tumbleweed Validation Authority also meets the GSA's requirements for

thefreelibrary.com/_/…/PrintArticle.asp… 1/4
1/6/2011 Tumbleweed Validation Authority Secu…
Delegated Path Discovery and Validation, enhancing validation services for cross-certified
entities.

Recently, Tumbleweed authorized reseller, Operational Resource Consultants (ORC), a leading

provider of PKI authentication services, was granted certification as an HSPD-12 Shared
Service Provider (SSP), utilizing the Tumbleweed Validation Authority to provide validation
services for its Federal customers.

The Tumbleweed Validation Authority is the most widely deployed identity validation solution
within U.S. Department of Defense (DoD) and Intelligence communities, offering critical
infrastructure and identity protection in demanding environments. The product suite also features
a broad portfolio of independent third party evaluations and certifications, including Common
Criteria Evaluation Assurance Level (EAL) 3 certification, based on one of the strongest
protection profiles for PKI products.

The FIPS 201 certification extends to the following components of the Tumbleweed Validation
Authority product suite:

* Tumbleweed Validation Authority (VA Server) - A FIPS 140-2 high-performance multi-platform

solution to process client digital certificate status queries using a number of different protocols
including OCSP, SCVP, and VA certificate revocation lists (CRL). The platform also includes the
Tumbleweed Valicert VA Repeater, available as software or as a hardware appliance. The VA
Repeater Appliance solution offers a secure, hardened Linux-based platform, with
Tumbleweed's Repeater Server software to provide a drop-in solution for deploying a high-scale,
high-reliability digital certificate infrastructure for distributed hosted computing environments

* Server Validator - A flexible plug-in application for enabling digital certificate validation in the
most widely used secure Web servers and Web application servers available on UNIX, Linux,
Windows, and Apple server platforms

* Desktop Validator (Standard and Enterprise) - Flexible client solutions for enabling Microsoft
Windows based desktop and server applications to validate digital certificates via the Microsoft
Cryptographic API (CAPI). Includes support for automatically deploying and configuring Desktop
Validator plug-ins for ease of large-scale deployment

SAFE HARBOR STATEMENT

Tumbleweed cautions that forward-looking statements contained in this press release are based
on plans and expectations as of the date of the press release, and that a number of factors could
cause the actual results to differ materially from the guidance given at this time. These factors are
described in the Safe Harbor statement below.

Except for the historical information contained herein, the matters discussed in this press release
may constitute forward-looking statements that involve risks and uncertainties that could cause
actual results to differ materially from those projected, particularly with respect to the functionality
and performance of the products in the Tumbleweed Validation Authority product suite, as well
as the continued compliance of such products with requirements such as those relevant to
HSPD-12 or FIPS. In some cases, forward-looking statements can be identified by terminology
thefreelibrary.com/_/…/PrintArticle.asp… 2/4
1/6/2011 Tumbleweed Validation Authority Secu…
such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans,"
"believes," "estimates," and similar expressions. For further cautions about the risks of investing
in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the
Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed March 16,
2006 and Form 10-Q filed August 8, 2006.

Tumbleweed assumes no obligation to update information contained in this press release.

Although this release may remain available on Tumbleweed's website or elsewhere, its
continued availability does not indicate that Tumbleweed is reaffirming or confirming any of the
information contained herein.

About Tumbleweed Validation Authority

Tumbleweed Validation Authority (VA) (formerly known as Valicert Validation Authority), the
leading identity validation solution, enables banks, governments, and businesses worldwide to
secure highly valued and trusted transactions, ranging from corporate network access to multi-
million dollar electronic transactions to physical access of military facilities. VA is a fourth-
generation product line, offering a comprehensive, scalable, and reliable framework for real-time
validation of digital certificates, based on numerous well-accepted international security
standards and open technologies. VA is Certificate Authority neutral, FIPS 140-1, DOD JITC,
Identrust, and Common Criteria compliant, as well as part of the Identrust, SWIFT Trust Act,
BACS and Global Trust Authority financial trust infrastructures. VA has been deployed by
hundreds of customers worldwide for over ten years, including the U.S. Department of Defense
and all branches of the U.S. military which utilize VA to check the status of more than 3.5 million
Common Access Cards used to secure system and network access, email, and other mission-
critical resources.

About Tumbleweed Communications Corp.

Tumbleweed provides security solutions for email protection, file transfers, and identity validation
that allow organizations to safely conduct business over the Internet. Tumbleweed offers these
solutions in three comprehensive product suites: MailGate[R], SecureTransport[TM], and
Validation Authority[TM]. MailGate provides protection against spam, viruses, and attacks, and
enables policy-based message filtering, encryption, and routing. SecureTransport enables
business to safely exchange large files and transactions without proprietary software. Validation
Authority is the world-leading solution for determining the validity of digital certificates.
Tumbleweed's enterprise and government customers include ABN Amro, Bank of
America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group
(Blue Cross/Blue Shield), St. Luke's Episcopal Healthcare System, the U.S. Food and Drug
Administration, the U.S. Department of Defense, and all four branches of the U.S. Armed Forces.
Tumbleweed was founded in 1993 and is headquartered in Redwood City, Calif. For additional
information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

Tumbleweed, the Arrows logo, MailGate, SecureTransport, Tumbleweed Validation Authority

and Validation Authority are either registered trademarks or trademarks of Tumbleweed
Communications Corp. in the United States and/or other countries. All other trademarks are the
property of their respective owners.

thefreelibrary.com/_/…/PrintArticle.asp… 3/4
1/6/2011 Tumbleweed Validation Authority Secu…
COPYRIGHT 2006 Business Wire
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

thefreelibrary.com/_/…/PrintArticle.asp… 4/4