United States Marine Corps Secures Semper Fi with Tumbleweed PKI; Tumbleweed PKI Validation Solution's Ability to Distinguish Friend from Foe in Real-Time Enabling Trusted Relationships Essential for Mission Critical Communications

Business Wire, Sept 13, 2005

REDWOOD CITY, Calif. -- Tumbleweed(R) Communications Corp. (NASDAQ:TMWD), a leading provider of e-mail security, file transfer security, and identity validation solutions, today announced that the United States Marine Corps (Marine Corps) has achieved enterprise-wide digital certificate validation with Tumbleweed Validation Authority, the most widely deployed public key infrastructure (PKI) validation solution in the US Department of Defense (DoD). Based on the open standard Online Certificate Status Protocol (OCSP, RFC 2560), VA validates the status of digital certificates in real time, ensuring that revoked credentials cannot be used for secure email, smart card login, web access, wireless, VPN, or other electronic transactions.

Prior to January 2002, the Marine Corps had deployed a PKI validation solution that relied on Defense Information System Agency (DISA) generated certificate revocation lists (CRLs). In operation over time, these CRLs became so large in size and number that Marine Corps mission critical applications would ultimately "time out" when attempting to obtain, process, and make a determination on a digital certificate's validity for a given transaction. The growing size of these CRLs threatened to degrade the performance of the Marine Corps operations, increasing costs and undermining the integrity of its PKI system, particularly with respect to e-mail communications and other applications dependent upon authentication.

The Marine Corps objective was to find a PKI validation solution that could speed the real-time validation of digital certificates, ensure secure communications, and support the system-wide use of Common Access Cards (CAC) for cryptographic access to desktop, server, and network resources. The organization was also looking for a solution that would work with its existing consolidated deployment of Responder servers/hardware signing modules (HSMs). Adding more HSMs would increase security compliance costs substantially, since these devices are subject to strict physical and logical security requirements. Other considerations necessitated the ability to provide multiple level failover and backups to ensure continuity of validation in disconnected operating environments.

After a thorough evaluation of PKI validation products and vendors, the Marine Corps selected Tumbleweed VA as the solution that could best support these objectives. The Tumbleweed VA deployment was implemented in a Repeater--Responder configuration to achieve the highest level of reliability, availability and performance. The Repeater component of this configuration also kept deployment and infrastructure costs in line by preserving the previous consolidated deployment of multiple Responder servers/HSMs. Unlike Responders, VA Repeater servers do not require the same level of security and can reside in a wide range of environments at reduced cost.

Today, the Marine Corps is relying on VA to provide enterprise-wide, real-time digital certificate validation throughout the organization, ensuring that revoked credentials are not used for secure email, smart card login, web access, or other electronic transactions. The VA Repeater--Responder configuration is delivering faster, better, and more cost effective identity validation at the desktop and server environments and maintaining system-wide authentication even in disconnected operating conditions.

"Tumbleweed's Validation Authority's comprehensive, scalable and reliable framework for real-time validation of digital certificates has allowed us to strengthen our security posture significantly," said Joseph Seitzer, PKI Integration Team, U.S. Marine Corps. "Its robust security capabilities, ease of administration, and extensibility are ensuring the requisite level of validation essential for establishing the trusted relationships on which our operations depend, whether for exchanging sensitive information, processing transactions, or accessing network systems critical to strategic and tactical units."

"The size and number of CRLs is no longer an issue," Seitzer added. "VA is allowing mission critical applications to perform real-time queries on the status of digital certificates in a much faster, reliable, and cost-effective manner. The speed of secure e-mail communications has increased substantially, server validation is ensuring that only authorized individuals gain access to system resources, and cryptographic logon via smart cards has eliminated the need for multiple passwords for accessing network systems."

The innovative VA Repeater--Responder architecture has already demonstrated its capabilities for maintaining continuity of validation. In one situation, a power outage at a facility caused the responders to go off-line when network connectivity was lost. VA's robust replication system mirrored certificate revocation data across the array of VA servers, allowing the Repeaters to continue providing seamless authentication despite the temporary loss of the Responders. This multilevel support for backup, load balancing, and failover is critical for maintaining the integrity of communications, especially with expeditionary forces.