Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 15/274,880 filed on 10/15/2020; claims 3, 11-20, and 26 were cancelled; claims 1-2, and 21  have been amended; and claims 1 and 21 are independent claims.  Claims 1-2, 4-10, and 21-26 have been examined and are pending.  This Action is made FINAL.
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 10/15/2020, with respect to limitations listed below, have been fully considered but they are not persuasive.
a. Applicants argue: “Claim 1 recites a “computer system” “authenticating the first request [for credential information] including [] verifying that the first device is being used by the first user account.” Claim 1 further recites that “the verifying includes receiving password information of the first user account from the first device” and has been amended to recite that “the password information is derived from a password usable by the first user account to log into the first device.” Applicant submits that the combination of references does not teach or suggest, at least, these features of claim 1 (Remark, page 8).


Story discloses (d) authenticating the first request, including: (e) verifying that the first device is being used by the first user account (Story: par. 0027; fig. 4, par. 0044, At 414, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412. Again, this second authentication can proceed similarly to that described above. Once the credential management service has authenticated the user at 414, the credential server device 116 can retrieve, at 416, one or more sets of credentials for the various network service(s) that the user and/or the second client device is authorized to access), wherein the verifying includes receiving password information of the first user account from the first device (Story: par. 0027; fig. 4,  par. 0044, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412).
Stuntebeck discloses managed real-time communications between user devices wherein authenticating, granting or denying the first request for the credential information (Stuntebeck: par. 0034, The authentication service 135 is executed to receive a request for access to resources 136 from an application executed on client device 120 and to determine whether to grant or deny the request 136.  Upon determining to grant the request 136, the authentication service 135 may then send access credentials). 

(Mahaffey: Col. 17, lines 22-35, a user enters password on a device, which generates a password-derived key (e.g. using PBKDF2, SHA-1 to hash the password creating a key, bcrypt or scrypt to generate a key)…). 
It is clear that the combination of Story, Stuntebeck, and Mahaffey as a whole does teach the aforementioned limitations.
b. Applicants argue: Story dose not teaches wherein the received registration information includes a token assigned to the first device (Remark, page 8).
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Story does disclose the aforementioned limitations as the following:
Story discloses wherein the received registration information includes a token assigned to the first device (Story: fig. 2, par. 0027; credential data 216 [i.e. registration information] includes tokens).
 It is clear that Story does teach the aforementioned limitations. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.
Claims 1-2, 4, 21-22, and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Story, JR. (“Story, US 2014/0165165) in view of Stuntebeck et al. (“Stuntebeck,” US 2016/0105463, filed on Dec. 18, 2015), further in view of Mahaffey et al. (“Mahaffey,” US 9,602,508, file Dec. 26, 2014). 
Regarding claim 1, Story discloses a computer system, comprising: 
 One or more processors (Story: fig. 2, par. 0023); and
memory having program instructions stored therein that are executable by the one or more processors (Story: fig. 2, par. 0023) to cause the computer system to perform operations including:
storing registration information identifying a plurality of devices as being registered to an organization (Story: par. 0011,  network service access credential access credentials (e.g. network service set identification (SSID), password, and so forth); par. 0012, Any client device that has been registered for the user can periodically retrieve and store one or more sets of credentials from the credential management service, each set of credentials enabling access to a network service such as a wireless network service , wired network service, web service, e-commerce service, and so forth … stored credentials.  In this way, when one device belonging to a common device group; par. 0027, Credential data 216 can include credentials enabling access to network services, such as logins, SSIDs, passwords, tokens, certificates, and the like; Also see, figs. 6-7, SSIDs such as “abcxyz.” “corp1,” “corp2,” and authorized devices such as “laptop1,”  “phone0,” “reader2” are examples of registration information; pars. 0062-0063); 
(Story: abstract; first device can upload the credentials used to access the network service to a cloud-hosted credential service; par. 0011,  network service access credential access credentials (e.g. network service set identification (SSID), password, and so forth ; See also pars. 0012, Any client device that has been registered for the user can periodically retrieve and store one or more sets of credentials from the credential management service, each set of credentials enabling access to a network service such as a wireless network service, wired network service, web service, e-commerce service, and so forth; Also see, par. 0041, figs. 6-7, pars. 0062-0063);
receiving, over a network from a first device, a first request for credential information of a first of the plurality of user accounts (Story: par. 0012, Any client device that has been registered for the user can periodically retrieve and store one or more sets of credentials from the credential management service, each set of credentials enabling access to a network service such as a wireless network service, wired network service, web service, e-commerce service, and so forth.  When the client device is able to access one of the network services (e.g., when in range of a wireless network), the client device can automatically access, join and/or login to that service using the stored credentials.  In this way, when one device belonging to a common device group, user and/or user account is authenticated to the credential management service), wherein the credential information includes user names and passwords of the first user account (Story: pars. 0001, 0013, 0016, credentials; par. 0027, credential data can includes credentials enabling access to network services, such as logins, SSIDs, passwords, tokens, certificates, and the like);
authenticating the first request, including:
verifying that the first device is being used by the first user account (Story: par. 0027; fig. 4,  par. 0044, At 414, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412. Again, this second authentication can proceed similarly to that described above. Once the credential management service has authenticated the user at 414, the credential server device 116 can retrieve, at 416, one or more sets of credentials for the various network service(s) that the user and/or the second client device is authorized to access), wherein the verifying includes receiving password information of the first user account from the first device (Story: par. 0027; fig. 4,  par. 0044, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412); and
determining, based on the registration information, whether the first device is one of the plurality of devices registered to the organization (Story: fig. 4, pars. 0012, 0027, 0044, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412…; set of credentials includes authorized networks & authorized devices which are registration information; See also fig. 7, par. 0075), wherein the registration information is distinct from the password information (Story: figs. 6-7; par. 0075, SSID such as “abcxyz.” “corp1,” “corp2,” and authorized devices such as “laptop1,”  “phone0,” “reader2” are examples of registration information are different than passwords; Also see pars. 0062-0063);
Story discloses determining, based on the registration information whether the first device is one of the plurality of devices registered to the organization but does not explicitly discloses based on the authenticating, granting or denying the first request for the credential information.
However, in an analogous art, Stuntebeck discloses managed real-time communications between user devices wherein authenticating, granting or denying the first request for the credential information (Stuntebeck: par. 0034, The authentication service 135 is executed to receive a request for access to resources 136 from an application executed on client device 120 and to determine whether to grant or deny the request 136.  Upon determining to grant the request 136, the authentication service 135 may then send access credentials). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Stuntebeck with the method and system of Story, wherein determining, based on the registration  information whether the first device is one of the plurality of devices; and based on the authenticating, granting or denying the first request for the credential  (Stuntebeck: par. 00018).
Story does not explicitly disclose wherein the password information is derived from a password usable by the first user account to log into the first device;
However, in an analogous art, Mahaffey discloses system and method for performing an action based upon two-party authorization, wherein the password information is derived from a password usable by the first user account to log into the first device (Mahaffey: Col. 17, lines 22-35, a user enters password on a device, which generates a password-derived key (e.g. using PBKDF2, SHA-1 to hash the password creating a key, bcrypt or scrypt to generate a key)…)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mahaffey with the method and system of Story and Stuntebeck, wherein the password information is derived from a password usable by the first user account to log into the first device to provide user with means for an action is permitted to be performed on a computing device only after the action has been confirmed by two or more authorized and/or authenticated parties (Mahaffey: abstract).
Regarding claim 2, the combination of Story, Stuntebeck, and Mahaffey teaches the computer readable medium of claim 21.  Story further discloses wherein the received registration information includes a token assigned to the first device (Story: fig. 2, par. 0027; credential data 216 [i.e. registration information] includes tokens)
Regarding claim 4, the combination of Story, Stuntebeck, and Mahaffey teaches the computer system of claim 1. The combination of Story, Stuntebeck, and Mahaffey further teaches wherein the operations include:
receiving, from a second device, a second request for credential information of the first user (Story: par. 0012, Any client device that has been registered   for the user can periodically retrieve and store one or more sets of credentials from the credential management service, each set of credentials enabling access to a network service such as a wireless network service, wired network service, web service, e-commerce service, and so forth.);
authenticating the second request, including:
verifying that the second device is being used by the first user (Story: par. 0027; fig. 4,  par. 0044, At 414, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412. Again, this second authentication can proceed similarly to that described above. Once the credential management service has authenticated the user at 414, the credential server device 116 can retrieve, at 416, one or more sets of credentials for the various network service(s) that the user and/or the second client device is authorized to access); and 
determining, based on the registration information, whether the second device is one of the plurality of devices (Story: fig. 4,  par. 0044, At 414, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412. Again, this second authentication can proceed similarly to that described above. Once the credential management service has authenticated the user at 414, the credential server device 116 can retrieve, at 416, one or more sets of credentials for the various network service(s) that the user and/or the second client device is authorized to access); and
based on the authenticating of the second request, granting or denying the second request for the credential information (Story: par. 0027; fig. 4, pars. 0012, 0044, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412; Stuntebeck: par. 0034).
Regarding claim 21, claim 21 is directed to a non-transitory computer readable medium having program instructions stored therein that are executable by a computer system to cause the computer system to perform operations associated with the method claimed in claim 1; claim 21 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 22, claim 22 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claim 25, the combination of Story, Stuntebeck, and Mahaffey teaches the computer system of claim 1. Stuntebeck further discloses wherein the registration information includes information indicative of a unique identifier assigned to the first device (Stuntebech: par. 0023; Access credentials related to a device may uniquely identify the device and may comprise, for example, a unique hardware identifier such as a GUID (Globally Unique Identifier), UUID (Universally Unique Identifier), UDID (Unique Device Identifier), serial number, IMEI (Internationally Mobile Equipment Identity), Wi-Fi MAC (Media Access Control) address, Bluetooth MAC address, a CPU ID, and/or the like, or any combination of two or more such hardware identifiers).
Regarding claim 26, the combination of Story, Stuntebeck, and Mahaffey discloses the computer system of claim 25.  Stuntebeck further discloses wherein the unique identifier is stored in the first device at fabrication (Stuntebeck: par. 0023; Access credentials related to a device may uniquely identify the device and may comprise, for example, a unique hardware identifier such as a GUID (Globally Unique Identifier), UUID (Universally Unique Identifier), UDID (Unique Device Identifier), serial number, IMEI (Internationally Mobile Equipment Identity), Wi-Fi MAC (Media Access Control) address, Bluetooth MAC address, a CPU ID, and/or the like, or any combination of two or more such hardware identifiers).
Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Story, JR. (“Story, US 2014/0165165) in view of Stuntebeck et al. (“Stuntebeck,” US 2016/0105463, filed on Dec. 18, 2015), further in view of Mahaffey et al. (“Mahaffey,” US 9,602,508, file Dec. 26, 2014), and Gentile et al. (“Gentile,” US 2011/0208857), and McDonald et al. (“McDonald,” US 2014/0208112).
Regarding claim 5, the combination of Story, Stuntebeck, and Mahaffey teaches the computer system of claim 1. Story further discloses authenticating the first request including verifying the first device is being used by the first user (Story: fig. 4, par. 0044, At 414, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412. Again, this second authentication can proceed similarly to that described above. Once the credential management service has authenticated the user at 414, the credential server device 116 can retrieve, at 416, one or more sets of credentials for the various network service(s) that the user and/or the second client device is authorized to access; par. 0072; authentication system 100 can be configured such that any device can be used as the verifying client device 105B, regardless of whether the verifying client device 105B belongs to the requesting user, as long as that device 105B can be associated  with the requesting user.)
Story, Stuntebeck, and Mahaffey do not explicitly disclose initializing the first user account, wherein the initializing includes creating an initial password for the first user account; in response to receiving information indicative of the initial password, instructing a user of the first user account to create a new password that is simpler than initial password; and using the new password to verify that the first device.
However, in an analogous art, Gentile discloses method, system, and computer readable medium for gathering usage statistics, wherein
initializing the first user account, wherein the initializing includes creating an initial password for the first user account (Gentile: par. 0198, initial password);
in response to receiving information indicative of the initial password, instructing a user of  the first user account to create a new password (Gentile: par. 0198; prompt the user to enter a password of a specific type (i.e. containing a minimum number of characters) and may require that the user enter the new password twice for confirmation).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gentile with the  authentication between the remote device and a central server, thus ensuring security (Gentile: abstract, pars. 0014, 0016).
Gentile does not explicitly disclose creating a new password that is simpler than the initial password.
However, in an analogous art, McDonald discloses providing an encrypted account credential from a first device to second device, wherein a user chooses a simple password based on a small subset of available characters (McDonald: par. 0004).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of McDonald with the method and system of Story, Stuntebeck, Mahaffey, and Gentile, wherein creating a new password that is simpler than the initial password to provide users with a means for easy to remember the password (McDonald: par. 0004)
Regarding claim 6, the combination of Story, Stuntebeck, Mahaffey, Gentile, and McDonald teaches the computer system of claim 5. The combination of Story, Stuntebeck, Gentile, and McDonald further discloses wherein the operations include:
receiving, from the organization, registration information identifying a plurality of users associated with the organization (Story: pars. 0012); and
initializing the first user account in response to receiving the registration information (Story: par. 0012; Gentile: par. 0198).
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Story, JR. (“Story, US 2014/0165165) in view of Stuntebeck et al. (“Stuntebeck,” US 2016/0105463, filed on Dec. 18, 2015), further in view of Mahaffey et al. (“Mahaffey,” US 9,602,508, file Dec. 26, 2014), and Gentile et al. (“Gentile,” US 2011/0208857), and McDonald et al. (“McDonald,” US 2014/0208112), and Raikar et al. (“Raikar,” US 2005/0114673).
Regarding claim 7, the combination of Story, Stuntebeck, Mahaffey, Gentile, and McDonald teaches the computer system of claim 5. Story, Stuntebeck, Gentile, and McDonald do not teach wherein the operations include: storing different, organization-specified password policies for ones of the plurality of devices, wherein the different password policies identify different criteria for permissible passwords; and wherein the instructing includes indicating, based on one of the different password policies, a permissible complexity for the new password to the first user account.
However, in an analogous art, Raikar discloses method and system for establishing a consistent password policy. In one embodiment, Raikar discloses 
(Raikar: abstract, pars. 0007, 0025, 0043), wherein the different password policies identify different criteria for permissible passwords (Raikar: abstract, pars. 0007, 0025, 0043); and
wherein the instructing includes indicating, based on one of the different password policies, a permissible complexity for the new password to the first user account (Raikar:  par. 0025, strong password).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Raikar with the method and system of Story, Stuntebeck, Mahaffey, Gentile, and McDonald, wherein storing different, organization-specified password policies for ones of the plurality of devices, wherein the different password policies identify different criteria for permissible passwords; and wherein the instructing includes indicating, based on one of the different password policies, a permissible complexity for the new password to the first user account to provide users with means for establishing consistent password policy in enterprise scale computing system by using password policy enforcement agent accessing password policy data structure and enforcing one of password policies in data structure and exhibits compatibility with existing computer system operations (Raikar: abstract, par. 0007).



Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Story, JR. (“Story, US 2014/0165165) in view of Stuntebeck et al. (“Stuntebeck,” US 2016/0105463, filed on Dec. 18, 2015), further in view of Mahaffey et al. (“Mahaffey,” US 9,602,508, file Dec. 26, 2014), and Khan in view (“Khan,” US 2017/0053301).
Regarding claim 8, the combination of Story, Stuntebeck, and Mahaffey teaches the computer system of claim 1. The combination of Story, Stuntebeck, and Mahaffey discloses storing registration information identifying a plurality of devices as being registered to an organization; receiving, over a network from a first device, a first request for credential information of a first of a plurality of users associated with the organization; and granting requests for credential information as recited above.  Story, Stuntebeck, and Mahaffey do not explicitly disclose one or more hardware security modules (HSMs) configured to: store encryption keys usable to decrypt credential information for the plurality of user accounts including the requested credential information of the first user account; and grant the first request by using one of the stored encryption keys to decrypt the requested credential information to the first device.
However, in an analogous art, Khan discloses system for performance secure mobile payment and non-payment transactions with integrated loyalty, rewards and promotion. In one embodiment, Khan discloses  a security module (HSM) may be used  to store or encrypt/decrypt the encryption keys (Khan: par. 0045, A hardware security module (HSM) 120, which is hardware that is hardened against attack and unauthorized access, may be used to store or encrypt/decrypt the encryption keys used by system 100).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Khan with the (Khan: par. 0170).
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Story, JR. (“Story, US 2014/0165165) in view of Stuntebeck et al. (“Stuntebeck,” US 2016/0105463, filed on Dec. 18, 2015), further in view of Mahaffey et al. (“Mahaffey,” US 9,602,508, file Dec. 26, 2014), and Dillaway et al. (“Dillaway,” US 2008/0066147), and Paden et al. (“Paden,” US 2006/0059362).
Regarding claim 9, the combination of Story, Stuntebeck, and Mahaffey teaches the computer system of claim 1. Story, Stuntebeck, and Mahaffey do not explicitly disclose, wherein the operations include:
storing administration information defining a hierarchical relationship among a plurality of administrators such that a higher-level administrator is able to administer a superset of user accounts that includes a set of accounts administered by a lower-level administrator.
However, in an analogous art, Dillaway teaches composable security policies. In one embodiment, Dillaway discloses defining peer relationships (e.g., allowing another (Dillaway: par. 0079).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Dillaway with the method and system of Story, Stuntebeck, and Mahaffey, wherein storing administration information defining a hierarchical relationship among a plurality of administrators such that a higher-level administrator is able to administer a superset of user accounts that includes a set of accounts administered by a lower-level administrator to provide users with means for the authorization decision is made in response to the resource request and based on the composed effective policy, thus arbitrarily and flexibly delegating policy authoring rights (Dillaway: abstract).
Dillaway does not explicitly disclose receiving a request from one of the plurality of administrators to reset the first user account; based on the administration information, verifying whether the administrator has authority to administer the first user account; and resetting the first user account in response to verifying that the administrator has the authority.
However, in an analogous art, Paden discloses automated password reset via an interactive voice response system. In one embodiment, Paden discloses validating that the user is authorized to reset passwords of the selected accounts based upon received validation information (Paden: par. 0036).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Paden with the method and system of Story, Stuntebeck, Mahaffey, and Dillaway wherein receiving a (Paden: par. 0013).
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Story, JR. (“Story, US 2014/0165165) in view of Stuntebeck et al. (“Stuntebeck,” US 2016/0105463, filed on Dec. 18, 2015), further in view of Mahaffey et al. (“Mahaffey,” US 9,602,508, file Dec. 26, 2014), and Wang (“Wang,” US 2008/0102792).
Regarding claim 10, the combination of Story, Stuntebeck, and Mahaffey teaches the computer system of claim 1.  The combination of Story, Stuntebeck, and Mahaffey further discloses wherein the operations include: 
 establishing an access code associated with a second device that is not one of the plurality of devices (Story: par. 0012, Any client device that has been registered for the user can periodically retrieve (i.e.  and store one or more sets of credentials from the credential management service, each set of credentials enabling access to a network service such as a wireless network service, wired network service, web service, e-commerce service, and so forth);
 receiving, from the second device, a second request for the credential information of the first user account (Story: par. 0012, Any client device that has been registered for the user can periodically retrieve and store one or more sets of credentials from the credential management service, each set of credentials enabling access to a network service such as a wireless network service, wired network service, web service, e-commerce service, and so forth).
 authenticating the second request, including:
verifying that the second device is being used by the first user account (Story: par. 0027; fig. 4,  par. 0044, At 414, the credential server device 116 may authenticate the user based at least in part on the additional set of credentials provided by the user of the second client device 110 at 412. Again, this second authentication can proceed similarly to that described above. Once the credential management service has authenticated the user at 414, the credential server device 116 can retrieve, at 416, one or more sets of credentials for the various network service(s) that the user and/or the second client device is authorized to access); 
based on the authenticating of the second request, granting the second request for the credential information (Story: par. 0012, Any client device that has been registered for the user can periodically retrieve and store one or more sets of credentials from the credential management service, each set of credentials enabling access to a network service such as a wireless network service, wired network service, web service, e-commerce service, and so forth.  When the client device is able to access one of the network services (e.g., when in range of a wireless network), the client device can automatically access, join and/or login to that service using the stored credentials.  In this way, when one device belonging to a common device group, user and/or user account is authenticated to the credential management service; Stuntebeck: par. 0034).

However, in an analogous art, Wang discloses media distribution method for mobile communication device. In one embodiment, Wang discloses confirming the mobile phone of the registered user being able to retrieve the media information by matching the access code with the verification code (Wang: par. 0046).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wang with the method and system of Story, Stuntebeck, and Mahaffey, wherein confirming that an access code received from the second device matches the established access code to provide users with means for The system facilitates information exchange between the mobile terminal and the service provider. The system allows a mobile phone user to obtain and transmit media information. The system avoids the users to use any laptop computers for obtaining media information, avoids need for the user to separately subscribe separate services of a telecommunication network and Internet connection, and prevents the media information from being transmitted to unauthorized persons (Wang: pars. 0011-0014).





Claims 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Story, JR. (“Story, US 2014/0165165) in view of Stuntebeck et al. (“Stuntebeck,” US 2016/0105463, filed on Dec. 18, 2015), further in view of Mahaffey et al. (“Mahaffey,” US 9,602,508, file Dec. 26, 2014), and Morten (“Morten,” US 2008/0126806, published on May 29, 2008).
Regarding claim 23, the combination of Story, Stuntebeck, and Mahaffey teaches the computer readable medium of claim 21. Story, Stuntebeck, and Mahaffey do not explicitly disclose wherein the received registration information includes a digital signature generated by a private key maintained by the first device.
However, in an analogous art, Morten discloses pre-binding and tight binding of an on-line identify to a digital signature, wherein the received registration information includes a digital signature generated by a private key maintained by the first device (Morten: par. 0073; because the asymmetric key pair is generated by the registering entity, preferably on a device of the registering entity, the access to the private key is restricted to the registering entity.  Moreover, because the private key is used to sign the registration application, the information provided in the registration application is tightly bound to the identity and the digital signature).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Morten with the method and system of Story, Stuntebeck, and Mahaffey, wherein the received registration information includes a digital signature generated by a private key maintained by the first device to provide users with means for enabling the access to the digitally signed information or the public key to determine that the message is associated with one of the (Morten: )
Regarding claim 24, the combination of Story, Stuntebeck, Mahaffey, and Morten teaches the computer readable medium of claim 23. Morten further discloses wherein the received registration information includes a public key certificate including the digital signature (Morten: par. 0014; digital certificate may also include other information, such as a digital signature of the certification authority or other certifying entity).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
January 14th, 2021


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439