Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Status of Claims
Claims 1, 3-5, 7-10, 12-20 are subject to examination.  Claims 2, 6, and 11 are cancelled.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 3, 4, and 18 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1, recites the limitation "the verification result" in last line of the claim.  There is insufficient antecedent basis for this limitation in the claim. See claims 5 and 10, regarding “verification result”. Claims 3, 4, and 8 depend upon claim 1. Hence, claims 1, 3, 4, and 18 are subject to 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph rejections.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 1, is rejected under 35 U.S.C. 103 as being unpatentable over Frahim et al., Cisco Technology, 2017/0099321 in view of Bu et al., 20080159299 and Acar et al., 2010/0208898.
Referring to claim 1, Frahim-Cisco discloses a computer-implemented method for cross domain registration by a source domain, the method comprising:
[0003] In order to utilize partner ecosystems, enterprises frequently look for identity brokerage services to allow users from partner enterprises to access their resources and infrastructure.  Remote Authentication Dial-In User Service (RADIUS), which was designed with an enterprise focus, is one of the most commonly used protocols for authenticating network-based and remote-access users (or even devices) when devices and/or users need authentication services to access resources included in an enterprise network domain.  Additionally, in some instances, two enterprises may agree to form a federation relationship that helps broker information from one identity database in a first enterprise network domain to another that is maintained and managed by a different enterprise network domain.  In a federation relationship, the partner enterprises are interconnected and configured to operate in a common management framework under a common management authority.  The interdependency between different entities in cross-domain relationships further increases the infrastructure complexity.

    PNG
    media_image1.png
    770
    582
    media_image1.png
    Greyscale

sending, by a source domain, a request to register the source domain as a trusted domain of a target domain, receiving, by the source domain, an approval of the request,  
first enterprise network domain 112 and one or more entities in the second enterprise network domain 114 based on the one or more criterion received at step 230.  In some embodiments, the policy server 118 may establish a federation relationship between two enterprise network domains selected from a list of enterprise network domains that have already established a trust relationship with the policy server 118 (i.e., enterprise network domains that have already registered or enrolled in the federation service) based on the one or more criterion received at step 230.  Additionally or alternatively, the policy server 118 may send or accept requests to form a federation relationship based on the criteria received at step 230.  In these instances, the criteria may define requests that should be made to other enterprise network domains and/or which requests should be accepted from other enterprise network domains enrolled with the federation system.
[0011] By establishing a trust relationship between a "central hub" and enterprise network domains (i.e., authenticating the identity of each enterprise network domain) prior to allowing any two enterprise domains to enter into or form a trusted relationship, the techniques provided herein enable authentication or identification processes to be separated from federation or partnership processes.  Consequently, a much more flexible and scalable form of federations can be created.  For example, instead of managing (i.e. developing and enforcing) peering or partnership policies for every partner, an enterprise can manage and enforce a single set of policies that can be scaled to any number of partners via the central hub (i.e., policy server), thereby reducing the required number of managed policies from a multiple of the number of partners (i.e., N partners.times.M policies) to a sum of the number of partners and the number of policies (i.e., N partners+M policies).  Moreover, semantic trust separation makes it natural and easy to establish ad-hoc or permanent sub-federations (subsets of entities within the federation) and recursive federations which may further reduce the number of policies that an enterprise needs to manage to control the access provided to partner enterprises.  Still further, by moving the policy enforcement to the cloud, administrators can benefit from predefined federations and sub-federations and implementing a network roaming policy can be as simple as clicking a checkbox.
issuing, by the source domain, a key to an application of the source domain (trust relationship established using PKI, claim 7, para 35),  for accessing the target domain, verifying, by the source domain, the key issued to the application and passed by the target domain to determine whether the application associated with the key is allowed to access the target domain (based on the key access is allowed, para 35), and providing, by the source domain, information to the target domain (authentication process, para 18).

[0018] Once a trust relationship is established at step 210, the first enterprise network domain 112 is considered a part of an identification federation service provided by the policy server 118.  However, the first enterprise network domain 112 cannot send or process any requests through or from the policy server 118, respectively, to establish a federation relationship until the policy server 118 establishes a trust relationship with another participating enterprise.  Consequently, at step 220, a trust relationship is established with a second enterprise network domain, e.g., enterprise network domain 114.  A trust relationship can be established with the second enterprise network domain 114 in the same manner that a trust relationship is established with the first enterprise network domain 112 at step 210.  In other words, the policy server 118 can establish a trust relationship with the second enterprise network domain 114 by automatically exchanging metadata with a server 224 in the second enterprise domain 114, by enrolling the second enterprise network domain 114 and configuring the second enterprise network domain 114 and policy server 118 accordingly, or any other manner.  Since the technical trust establishment performed at steps 210 and 220 involves authenticating endpoints, and does not involve business relationships between enterprises, in some embodiments the trust establishment (i.e., enrollment) can easily be subcontracted and automated.  For example in a managed services offering with an on-premises portion, the necessary technical trust may be part of the already created trust relation between the on-premises portion and the enterprise's cloud infrastructure.

Frahim-Cisco and Bu do not specifically mention about, which is well-known in the art, which Acar discloses, based on the received approval (upon approval request for issuing a key, para 39, verifying validity of the key (whether key is expired and may be replaced with a new key, para 38, 39, verification result (expiry information communicated to devices across domains, obtaining new key(s) and informing other devices about it, para 38, 39). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known new keys upon expiry of the keys. New keys would be issued when the keys expire to maintain secure communications among devices across domains. The approval would be followed by communicating information by the source domain. The new key would be communicated to the destination/target domain by the source domain for security. Acar, para 38, 39.




Claim 3, is rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco in view of Bu, Acar, Rudzitis et al., 10,116,440.
Referring to claim 3, Frahim-Cisco discloses informing, by the source domain, the target domain information regarding a key as rejected, para 18, in claim 1. Frahim-Cisco and Bu, Acar do not specifically mention about, which is well-known in the art, which Rudzitis discloses, an approach to determine validity of a key, (informing to the domain about the determination of the validity of the key expiry, col., 14, lines 14-39, col., 18, lines 22-41). 


    PNG
    media_image2.png
    517
    713
    media_image2.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these .  

Claim 4, is rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco in view of Bu, Acar, Lee et al., 2009/0240941.
Referring to claim 4, Frahim-Cisco discloses sending, by the source domain, information to the target domain regarding a key, para 18, as rejected in claim 1. Frahim-Cisco, Bu, Acar does not specifically mention about, which is well-known in the art, which Lee discloses, the key associated with the application, col., 18, lines 22-41). 
[0013] According to another aspect of the present invention, there is provided a device authentication apparatus in a multi domain home network environment including a plurality of local domains, the apparatus comprising; a cross-domain authentication means making a mutual link agreement between a local domain and another local domain to authenticate a device registered to the another local domain through a PKI, and exchanging cross-domain certificates used to establish a public key and the agreement fact; a device registration means verifying the device and issuing a local domain certificate used in a local domain to a device requesting registration; and a device verification means receiving the local domain certificate from a device requesting a service, verifying the local domain certificate using a public key thereof or a public key acquired from the cross-domain authentication means, if the local domain certificate is valid, generating a session key to be shared with the device requesting the service, and sending the session key to the device.     11.  The method of claim 10, wherein the verifying whether a service request is valid further comprises: if it is impossible to authenticate the local domain certificate, confirming information of a home local domain from the local domain certificate;  requesting the home local domain to make the mutual link agreement, verifying the local domain certificate of the device using a public key of the home local domain acquired by making of the mutual link agreement, and verifying the signature received from the device;  and if the verification result is valid, generating a session key to be shared with the device, and sending to the device a message obtained by encrypting the session key using the public key of the device, a message obtained by signing the session key and the second random value using the public key of the home gateway, and the cross-domain certificate issued from the home local domain.

    PNG
    media_image3.png
    522
    842
    media_image3.png
    Greyscale

    PNG
    media_image4.png
    531
    919
    media_image4.png
    Greyscale

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these .  

Claims 5, 7, 10, 12, 15, 16, are rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco in view of Bu, Acar and Menezes et al., 2012/0167185, Pham 2018/0145985.
Referring to claims 5, 10, Frahim-Cisco discloses a computer-implemented method for cross domain authorization, the method comprising: A computer-implemented system for cross domain authorization, the system comprising: one or more processors; a memory coupled to at least one of the processors; a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions of:
[0003] In order to utilize partner ecosystems, enterprises frequently look for identity brokerage services to allow users from partner enterprises to access their resources and infrastructure.  Remote Authentication Dial-In User Service (RADIUS), which was designed with an enterprise focus, is one of the most commonly used protocols for authenticating network-based and remote-access users (or even devices) when devices and/or users need authentication services to access resources included in an enterprise network domain.  Additionally, in some instances, two enterprises may agree to form a federation relationship that helps broker information from one identity database in a first enterprise network domain to another that is maintained and managed by a different enterprise network domain.  In a federation relationship, the partner enterprises are interconnected and configured to operate in a common management framework under a common management authority.  The interdependency between different entities in cross-domain relationships further increases the infrastructure complexity.

    PNG
    media_image1.png
    770
    582
    media_image1.png
    Greyscale



[0021] At step 240, a federation relationship is established between at least a portion of the first enterprise network domain 112 and one or more entities in the second enterprise network domain 114 based on the one or more criterion received at step 230.  In some embodiments, the policy server 118 may establish a federation relationship between two enterprise network domains selected from a list of enterprise network domains that have already established a trust relationship with the policy server 118 (i.e., enterprise network domains that have already registered or enrolled in the federation service) based on the one or more criterion received at step 230.  Additionally or alternatively, the policy server 118 may send or accept requests to form a federation relationship based on the criteria received at step 230.  In these instances, the criteria may define requests that should be made to other enterprise network domains and/or which requests should be accepted from other enterprise network domains enrolled with the federation system.
[0011] By establishing a trust relationship between a "central hub" and enterprise network domains (i.e., authenticating the identity of each enterprise network domain) prior to allowing any two enterprise domains to enter into or form a trusted relationship, the techniques provided herein enable authentication or identification processes to be separated from federation or partnership processes.  Consequently, a much more flexible and scalable form of federations can be created.  For example, instead of managing (i.e. developing and enforcing) peering or partnership policies for every partner, an enterprise can manage and enforce a single set of policies that can be scaled to any number of partners via the central hub (i.e., policy server), thereby reducing the required number of managed policies from a multiple of the number of partners (i.e., N partners.times.M policies) to a sum of the number of partners and the number of policies (i.e., N partners+M policies).  Moreover, semantic trust separation makes it natural and easy to establish ad-hoc or permanent sub-federations (subsets of entities within the federation) and recursive federations which may further reduce the number of policies that an enterprise needs to manage to control the access provided to partner enterprises.  Still further, by moving the policy enforcement to the cloud, administrators can benefit from predefined federations and sub-federations and implementing a network roaming policy can be as simple as clicking a checkbox.
approving, by the target domain, the request, receiving, by the target domain, a key of an application of the source domain for accessing the target domain and information identifying the source domain, ),  for accessing the target domain, verifying, by the source domain, the key issued to the application and passed by the target domain to determine whether the application associated with the key is allowed to access the target domain (based on the key access is allowed, para 35), and providing, by the source domain, information to the target domain (authentication process, para 18).

[0018] Once a trust relationship is established at step 210, the first enterprise network domain 112 is considered a part of an identification federation service provided by the policy server 118.  However, the first enterprise network domain 112 cannot send or process any requests through or from the policy server 118, respectively, to establish a federation relationship until the policy server 118 establishes a trust relationship with another participating enterprise.  Consequently, at step 220, a trust relationship is established with a second enterprise network domain, e.g., enterprise network domain 114.  A trust relationship can be established with the second enterprise network domain 114 in the same manner that a trust relationship is established with the first enterprise network domain 112 at step 210.  In other words, the policy server 118 can establish a trust relationship with the second enterprise network domain 114 by automatically exchanging metadata with a server 224 in the second enterprise domain 114, by enrolling the second enterprise network domain 114 and configuring the second enterprise network domain 114 and policy server 118 accordingly, or any other manner.  Since the technical trust establishment performed at steps 210 and 220 involves authenticating endpoints, and does not involve business relationships between enterprises, in some embodiments the trust establishment (i.e., enrollment) can easily be subcontracted and automated.  For example in a managed services offering with an on-premises portion, the necessary technical trust may be part of the already created trust relation between the on-premises portion and the enterprise's cloud infrastructure.
Frahim-Cisco does not specifically mention about, which is well-known in the art, which Bu discloses, based on a token identifying the source domain (when the token is included in the packets by the source domain, and the destination/target domain verifies that the token is sent by the source domain, para 72). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known token by the source domain. The token would enable identifying the source domain. The token would be communicated to the destination/target domain.  Upon receiving the token, the destination/target domain would verifying that the token is sent by the source domain for security, Bu, para 72. 
Frahim-Cisco and Bu do not specifically mention about, which is well-known in the art, which Acar discloses, based on the received approval (upon approval request for issuing a key, para 39, checking, by the target, validity of the key, and allowing, by the target, in response to the key being valid, the access from the application of the source (checking whether key is expired and may be replaced with a new key for the access, para 38, 39), verification result (expiry information communicated to devices across domains, obtaining new key(s) and informing other devices about it, para 38, 39). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known new keys upon expiry of the keys. New keys would be issued when the keys expire to maintain secure communications among devices across domains. The approval would be followed by 
Frahim-Cisco, Bu, Acar do not specifically mention about, which is well-known in the art, which Menezes discloses, using both the key and the token as claimed (usage of both token and key for granting network access / authorization / validation request, para 63, 72, cross-domain with corporate network, enterprise network, 52, 2). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide utilizing well-known usage of both token and key for validation request. Having both token and the key, the information about the source/target can be encrypted during communication. The token can be used to store number/identifier information, which can be decrypted to determine that the access associated with the key is allowed for the trusted device. This will ensure that the information communicated among the devices is further secured regarding the validation request, Menezes para 63, 72.  
Frahim-Cisco discloses the source domain, and the target domain regarding a key, para 18, as rejected in claim 1. Frahim-Cisco, Bu, Acar and Menezes do not specifically mention about, which is well-known in the art, which Pham discloses, sending, by the target, the received key back to the source to verify whether the application associated with the received key is allowed to access the target (receiving the key back for validation and informing the peer, para 40). Pham also discloses receiving, by the target, a verification result from the source (informing the peer, para 40).
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide validation of the key. After receiving the key back, the key can be matched with the stored key  

Referring to claims 7, 12, Acar also discloses receiving, by the target domain, an approach from the source domain to determine validity of a key, and determining, by the target domain, the validity of the received key by using the approach (approach for determining the validity of the received key, para 38, 39.

Referring to claim 15, Frahim-Cisco discloses the source domain and target domain, para 18, as rejected in claim 10. Acar discloses, verifying, by the source, validity of a key passed by the target to determine whether an application associated with the key is allowed to access the target (checking whether key is expired and may be replaced with a new key for the access, para 38, 39) and providing, by the source, the verification result to the target (expiry information communicated to devices across domains, obtaining new key(s) and informing other devices about it, para 38, 39). 

Referring to claim 16, Frahim-Cisco also discloses informing, by the source domain, the target domain information regarding a key as rejected, para 18, in claims 1/10. Acar also discloses, an approach to determine validity of a key, (informing to the domain about the determination of the validity of the key expiry, para 38, 39). 

Claims 8, 13, are rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco in view of Menezes, Pham, Bu, Acar and Allain et al., 20150222615.
Referring to claims 8, 13, Frahim-Cisco discloses requesting, by the target domain, a key issued by the source domain, wherein the issued key is associated with the application from the source 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide validation of the key. The key can be matched with the stored key to ensure that the key is valid. The key expiry can be checked and informed for mutual agreement for a registered device to access the object until the granted authenticated period, Allain, para 70.  

Claims 9, 14, are rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco in view of Pham, Menezes, Bu, Acar and Guo et al., 2018/0069751.
Referring to claims 9, 14, Frahim-Cisco discloses the target domain, a key issued by the source domain, wherein the key is associated with the application from the source domain, para 18, as rejected in claim 1. Frahim-Cisco, Bu, Acar, Pham, Menezes do not specifically mention about, which is well-known in the art, which Guo discloses, checking, by the target domain, a stored list to determine whether the received key has been approved before for the same application, para 167. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by Frahim-Cisco to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide validation of the key. The key can be matched with the stored list of keys that are allowed to ensure that the key is part of the stored list of keys that are allowed and valid. The key expiry can be checked and informed for mutual agreement for a registered device to access the object until the granted authenticated period, Guo, para 167.

Claim 17, is rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco in view of Pham, Menezes, Bu, Acar and Lee et al., 2009/0240941.
Referring to claim 17, Frahim-Cisco discloses sending, by the source domain, information to the target domain regarding a key, para 18, as rejected in claim 10. Frahim-Cisco, Bu, Acar and Menezes do not specifically mention about, which is well-known in the art, which Lee discloses, the key associated with the application, col., 18, lines 22-41). 
[0013] According to another aspect of the present invention, there is provided a device authentication apparatus in a multi domain home network environment including a plurality of local domains, the apparatus comprising; a cross-domain authentication means making a mutual link agreement between a local domain and another local domain to authenticate a device registered to the another local domain through a PKI, and exchanging cross-domain certificates used to establish a public key and the agreement fact; a device registration means verifying the device and issuing a local domain certificate used in a local domain to a device requesting registration; and a device verification means receiving the local domain certificate from a device requesting a service, verifying the local domain certificate using a public key thereof or a public key acquired from the cross-domain authentication means, if the local domain certificate is valid, generating a session key to be shared with the device requesting the service, and sending the session key to the device.     11.  The method of claim 10, wherein the verifying whether a service request is valid further comprises: if it is impossible to authenticate the local domain certificate, confirming information of a home local domain from the local domain certificate;  requesting the home local domain to make the mutual link agreement, verifying the local domain certificate of the device using a public key of the home local domain acquired by making of the mutual link agreement, and verifying the signature received from the device;  and if the verification result is valid, generating a session key to be shared with the device, and sending to the device a message obtained by encrypting the session key using the public key of the device, a message obtained by signing the session key and the second random value using the public key of the home gateway, and the cross-domain certificate issued from the home local domain.

    PNG
    media_image3.png
    522
    842
    media_image3.png
    Greyscale

    PNG
    media_image4.png
    531
    919
    media_image4.png
    Greyscale


.  

Claim 18, is rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco, Bu, Acar in view of Vasyltasov 20080044010.
Referring to claim 18, Frahim-Cisco, Bu, Acar disclose the claimed limitations as rejected in claim 1. Frahim-Cisco, Bu, Acar do not specifically mention about, which is well-known in the art, which Vasyltasov discloses, based on doubling a value of the token, (usage of doubling operations for the number/token value, para 54, claim 6). 
The specification of this application contains:
[0056] The source domain may issue a key to its application for accessing the target domain at step 403. For example, but without any limitation to this invention, the source domain can issue a key to an application which it believes mature enough to be able to access the target domain. According to an embodiment of the present invention, the key could be issued in response to an application hosted on the source domain requesting to access the target domain (for example making a CORS request to the target domain), which could be understood as an on-line key issuing process. According to another embodiment of the present invention, the key could be issued before there is any actual request from the application intending to access the target domain (for example when an application is set up, it may not have immediate request to access the target domain, but it may have need to access the target domain in the future), which could be understood as an off-line key issuing process. Example of the issued key could be, but not limited to, URL of the application, like “https://www.sourceserver.com/appl”. In other embodiments, other values/characteristics/numbers/symbols, even a file (a certificate for example), etc. can also be used as an issued key. In some embodiments, the key of the application could (1) comprise the token of the source domain like what illustrated above, (2) be independent values/characteristics/numbers/symbols irrelevant to an expression of the token, or (3) be values/characteristics/numbers/symbols derived from the token but does not comprise the token in whole or in part (for example, the token is 1234, the key could be 2468, which representl234*2). In other embodiments, other methods to encode the key can be adopted as well.
.  

Claims 19, 20, are rejected under 35 U.S.C. 103 as being unpatentable over Frahim-Cisco in view of Pham, Menezes, Bu, Acar and Vasyltasov 20080044010.
Referring to claims 19, 20, Frahim-Cisco, Rudzitis, Bu, Acar disclose the claimed limitations as rejected in claim 5, 10. Frahim-Cisco, Bu, Acar do not specifically mention about, which is well-known in the art, which Vasyltasov discloses, based on doubling a value of the token, (usage of doubling operations for the number/token value, para 54, claim 6). 
The specification of this application contains:
[0056] The source domain may issue a key to its application for accessing the target domain at step 403. For example, but without any limitation to this invention, the source domain can issue a key to an application which it believes mature enough to be able to access the target domain. According to an embodiment of the present invention, the key could be issued in response to an application hosted on the source domain requesting to access the target domain (for example making a CORS request to the target domain), which could be understood as an on-line key issuing process. According to another embodiment of the present invention, the key could be issued before there is any actual request from the application intending to access the target domain (for example when an application is set up, it may not have immediate request to access the target domain, but it may have need to access the target domain in the future), which could be understood as an off-line key issuing process. Example of the issued key could be, but not limited to, URL of the application, like “https://www.sourceserver.com/appl”. In other embodiments, other values/characteristics/numbers/symbols, even a file (a certificate for example), etc. can also be used as an issued key. In some embodiments, the key of the application could (1) comprise the token of the source domain like what illustrated above, (2) be independent values/characteristics/numbers/symbols irrelevant to an expression of the token, or (3) be values/characteristics/numbers/symbols derived from the token but does not comprise the token in whole or in part (for example, the token is 1234, the key could be 2468, which representl234*2). In other embodiments, other methods to encode the key can be adopted as well.
.  

Applicant's arguments filed 12/1/20, pages 7-10 have been fully considered but they are not persuasive.  Therefore, rejection of claims 1, 3-5, 7-10, 12-20 is maintained. 
Regarding applicant’s concern for the amended limitations of claims 1, 5, and 10, the rejections are updated accordingly. 
Frahim-Cisco discloses a computer-implemented method for cross domain registration by a source domain, the method comprising:
[0003] In order to utilize partner ecosystems, enterprises frequently look for identity brokerage services to allow users from partner enterprises to access their resources and infrastructure.  Remote Authentication Dial-In User Service (RADIUS), which was designed with an enterprise focus, is one of the most commonly used protocols for authenticating network-based and remote-access users (or even devices) when devices and/or users need authentication services to access resources included in an enterprise network domain.  Additionally, in some instances, two enterprises may agree to form a federation relationship that helps broker information from one identity database in a first enterprise network domain to another that is maintained and managed by a different enterprise network domain.  In a federation relationship, the partner enterprises are interconnected and configured to operate in a common management framework under a common management authority.  The interdependency between different entities in cross-domain relationships further increases the infrastructure complexity.

    PNG
    media_image1.png
    770
    582
    media_image1.png
    Greyscale

sending, by a source domain, a request to register the source domain as a trusted domain of a target domain, receiving, by the source domain, an approval of the request,  
first enterprise network domain 112 and one or more entities in the second enterprise network domain 114 based on the one or more criterion received at step 230.  In some embodiments, the policy server 118 may establish a federation relationship between two enterprise network domains selected from a list of enterprise network domains that have already established a trust relationship with the policy server 118 (i.e., enterprise network domains that have already registered or enrolled in the federation service) based on the one or more criterion received at step 230.  Additionally or alternatively, the policy server 118 may send or accept requests to form a federation relationship based on the criteria received at step 230.  In these instances, the criteria may define requests that should be made to other enterprise network domains and/or which requests should be accepted from other enterprise network domains enrolled with the federation system.
[0011] By establishing a trust relationship between a "central hub" and enterprise network domains (i.e., authenticating the identity of each enterprise network domain) prior to allowing any two enterprise domains to enter into or form a trusted relationship, the techniques provided herein enable authentication or identification processes to be separated from federation or partnership processes.  Consequently, a much more flexible and scalable form of federations can be created.  For example, instead of managing (i.e. developing and enforcing) peering or partnership policies for every partner, an enterprise can manage and enforce a single set of policies that can be scaled to any number of partners via the central hub (i.e., policy server), thereby reducing the required number of managed policies from a multiple of the number of partners (i.e., N partners.times.M policies) to a sum of the number of partners and the number of policies (i.e., N partners+M policies).  Moreover, semantic trust separation makes it natural and easy to establish ad-hoc or permanent sub-federations (subsets of entities within the federation) and recursive federations which may further reduce the number of policies that an enterprise needs to manage to control the access provided to partner enterprises.  Still further, by moving the policy enforcement to the cloud, administrators can benefit from predefined federations and sub-federations and implementing a network roaming policy can be as simple as clicking a checkbox.
issuing, by the source domain, a key to an application of the source domain (trust relationship established using PKI, claim 7, para 35),  for accessing the target domain, verifying, by the source domain, the key issued to the application and passed by the target domain to determine whether the application associated with the key is allowed to access the target domain (based on the key access is allowed, para 35), and providing, by the source domain, information to the target domain (authentication process, para 18).

[0018] Once a trust relationship is established at step 210, the first enterprise network domain 112 is considered a part of an identification federation service provided by the policy server 118.  However, the first enterprise network domain 112 cannot send or process any requests through or from the policy server 118, respectively, to establish a federation relationship until the policy server 118 establishes a trust relationship with another participating enterprise.  Consequently, at step 220, a trust relationship is established with a second enterprise network domain, e.g., enterprise network domain 114.  A trust relationship can be established with the second enterprise network domain 114 in the same manner that a trust relationship is established with the first enterprise network domain 112 at step 210.  In other words, the policy server 118 can establish a trust relationship with the second enterprise network domain 114 by automatically exchanging metadata with a server 224 in the second enterprise domain 114, by enrolling the second enterprise network domain 114 and configuring the second enterprise network domain 114 and policy server 118 accordingly, or any other manner.  Since the technical trust establishment performed at steps 210 and 220 involves authenticating endpoints, and does not involve business relationships between enterprises, in some embodiments the trust establishment (i.e., enrollment) can easily be subcontracted and automated.  For example in a managed services offering with an on-premises portion, the necessary technical trust may be part of the already created trust relation between the on-premises portion and the enterprise's cloud infrastructure.

Frahim-Cisco and Bu do not specifically mention about, which is well-known in the art, which Acar discloses, based on the received approval (upon approval request for issuing a key, para 39, verifying validity of the key (whether key is expired and may be replaced with a new key, para 38, 39, verification result (expiry information communicated to devices across domains, obtaining new key(s) and informing other devices about it, para 38, 39).








Conclusion


    PNG
    media_image5.png
    337
    631
    media_image5.png
    Greyscale

	As seen in the above claim the verifying validity of the key and the providing steps have been merely added in response to the rejections of earlier office action. However, one of ordinary skilled in the art would readily know that checking whether the key expires and providing a new key for the access is well-known in the art. Please see above rejections.

Pertinent References:
	Gammage et al., 20080091765, discloses based on doubling a value of the token, (usage of various techniques for implementing adjustment of tokens and their values, para 36).
Ramarathinam et al., 8,607,054, discloses, any of the above mentioned aspects can be implemented in methods, systems, computer readable media, or any type of manufacture.  For example, a computer readable medium can store thereon computer executable instructions for accessing a virtual machine hosted in a first domain by a client computer in a second domain.  Such media can comprise a first second domain; a fourth subset of instructions for establishing a remote presentation session through the virtualization host in the first domain and sending an indication that a cookie-based authorization will be performed; a fifth subset of instructions for sending to the virtualization host in the first domain a cookie including a signed token and public key; and a sixth subset of instructions for establishing a remote presentation session with the requested virtual machine.  It will be appreciated by those skilled in the art that additional sets of instructions can be used to capture the various other aspects disclosed herein, and that the two presently disclosed subsets of instructions can vary in detail per the present disclosure. Col., 24, lines 1-20.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 5712723862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 
/HARESH N PATEL/Primary Examiner, Art Unit 2493