Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are pending.  Claims 7-16 have been withdrawn due to an election by phone described below.  Claims 1-6 and 17- 20 are under examination, claims 1 (a  method) and 17 (a non-transitory CRM) are independent.

Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1-6 and 17-20, drawn to providing security in a network through administrator controlled certificate distribution, classified in H04L 9/0825.
II. Claims 7-16, drawn to network monitoring by a virtualized central manager, classified in G06F9/455.

The inventions are distinct, each from the other because of the following reasons:
Inventions I and II are related as subcombinations disclosed as usable together in a single combination.  The subcombinations are distinct if they do not overlap in scope and are not obvious variants, and if it is shown that at least one subcombination is separately usable.  
In the instant case, subcombination I has separate utility such as administrator controlled certificate distribution in a managed network.  See MPEP § 806.05(d).
 has separate utility such as monitoring a network to discover clients to manage using a virtualized manager.  See MPEP § 806.05(d).


The examiner has required restriction between subcombinations usable together. Where applicant elects a subcombination and claims thereto are subsequently found allowable, any claim(s) depending from or otherwise requiring all the limitations of the allowable subcombination will be examined for patentability in accordance with 37 CFR 1.104.  See MPEP § 821.04(a).  Applicant is advised that if any claim presented in a continuation or divisional application is anticipated by, or includes all the limitations of, a claim that is allowable in the present application, such claim may be subject to provisional statutory and/or nonstatutory double patenting rejections over the claims of the instant application. 

Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply:
The various scopes and limitations of groups I, II, and III require separate search and consideration.  For example, groups I and III require the obtainment of IP addresses in a particular way, which is absent from group II.  Similarly, Groups I and II require the specifics of certificates, which is absent from group III.  Also, Group III . 
Applicant is advised that the reply to this requirement to be complete must include (i) an election of a invention to be examined even though the requirement may be traversed (37 CFR 1.143) and (ii) identification of the claims encompassing the elected invention. 
The election of an invention may be made with or without traverse. To reserve a right to petition, the election must be made with traverse. If the reply does not distinctly and specifically point out supposed errors in the restriction requirement, the election shall be treated as an election without traverse. Traversal must be presented at the time of election in order to be considered timely. Failure to timely traverse the requirement will result in the loss of right to petition under 37 CFR 1.144. If claims are added after the election, applicant must indicate which of these claims are readable upon the elected invention.
Should applicant traverse on the ground that the inventions are not patentably distinct, applicant should submit evidence or identify such evidence now of record showing the inventions to be obvious variants or clearly admit on the record that this is the case. In either instance, if the examiner finds one of the inventions unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103 or pre-AIA  35 U.S.C. 103(a) of the other invention.

During a telephone conversation with Gregory Hunt (Reg. No. 41,085) on 1/14/2021 a provisional election was made without traverse to prosecute the invention of Group 1, claims 1-6 and 17-20.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 7-16 are withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Applicant is reminded that upon the cancellation of claims to a non-elected invention, the inventorship must be corrected in compliance with  37 CFR 1.48(a) if one or more of the currently named inventors is no longer an inventor of at least one claim remaining in the application. A request to correct inventorship under 37 CFR 1.48(a) must be accompanied by an application data sheet in accordance with 37 CFR 1.76 that identifies each inventor by his or her legal name and by the processing fee required under 37 CFR 1.17(i).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 2, 5, 17, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05) and Averi et al., US 2012/0314578. (filed 2012-12)
As to claims 1 and 17, Oba discloses the method/CRM comprising:
(as to the CRM of claim 17, see Oba ¶ 130)
…  and a first public security certificate (Oba Figure 9 shows a ‘controller node’ sending a certificate to the coordinator, thus the controller node has been configured with said certificate. See also: “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) … having a network control node (NCN) and a plurality of client nodes and, wherein the NCN is separate from each client node and administers and controls a plurality of client nodes (see OBA Figs. 1-2, the coordinator being NCNs and the client nodes being the devices.) …; 
transferring … the first public security certificate from the first network manager to the NCN for installation on the NCN, (The NCN being the coordinator of Figure 9. “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) wherein the first public security certificate contains a first public key corresponding to the first private key; (Oba ¶ 57 “X.509 certificate” x.509 certificates comprise public keys)
automatically distributing by the NCN a first certificate file including the first public security certificate … to the client nodes, wherein the first public security certificate and first public key are stored in each (See Oba Figure 10 step 11. Also: “The key sharing between the participating nodes and the coordinator 20 is carried out through nodes … the coordinator 20 may distribute, to a participating node, a certificate on another participating node.” Oba ¶ 55) of the client nodes; (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. “participating nodes” Oba ¶ 57, plural nodes) and 
… wherein the first server manages the APN. (Oba ¶¶ 122-123 configuration update commands between controller and device)

Oba does not disclose:
configuring a first network manager in a first server with a first private key
for an adaptive private network (APN)
within the APN
, under control of a first network administrator,
and an associated first hash of the first certificate file
verifying in each client node of the one or more client nodes that a generated hash of the distributed first certificate file matches the associated first hash to verify the first public security certificate was properly received, 
APN

Cooper discloses:
configuring a first network manager in a first server with a first private key (“Users of a public key require confidence that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital 
 and an associated first hash of the first certificate file (Cooper § 4.1.1.3 signature value, signatures are encrypted hashes.)
verifying in each client node of the one or more client nodes (“Verify the basic certificate information. The certificate MUST satisfy each of the following: The signature on the certificate can be verified using working_public_key_algorithm” Cooper § 6.1.3) that a generated hash of the distributed first certificate file matches the associated first hash to verify the first public security certificate was properly received, (“The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate…. By generating this signature, a CA certifies the validity of the information in the tbsCertificate field. In particular, the CA certifies the binding between the public key material and the subject of the certificate.” Cooper § 4.1.1.3)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba with Cooper by utilizing the known X.509 conventions of Cooper; the signature/hash of § 4.1.1.3, the private key of § 3.1, and the certificate verification of § 6.1.3; to generate and validate the controller certificate of Oba.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Oba with Cooper in order to perform X.509 certificate processing that is suggested by Oba ¶ 57, thereby allowing 

Oba in view of Cooper does not disclose:
for an adaptive private network (APN) 
within the APN
, under control of a first network administrator,
APN

Averi discloses:
for an adaptive private network (APN) (“An APN client node 130 is an APN node that does not perform as the APN control point, but instead performs as an APN client point that works in tandem with an external APN control point for the APN node's control and administration.” Averi ¶ 44)
within the APN (“APN conduits may exist between the NCN and up to sixteen APN client nodes as shown in FIG. 2” Averi ¶ 80)
, under control of a first network administrator, (“Each APN conduit may have the unique configuration parameters tailored by an administrator for the particular needs of each geographic location associated with a particular APN.” Averi ¶ 80)
APN (“If the APN node is an APN network control node, the module will serve as the APN control point. If the APN node is an APN client, the module will serve as the APN client point.” Averi ¶ 40)



As to claims 2 and 18 Oba in view of Cooper and Averi discloses the method/CRM of claims 1 and 17 and further discloses: 
configuring a second network manager of a second server (“one coordinator 20 is present in one ECHONET Lite domain (hereinafter may simply be referred to as a “domain”). A domain is one home area network (HAN), for example. At least one controller 30 is present in one domain. Thus, M (M≧1) controllers 30 are present.” Oba ¶ 35. Devices in a domain may be connected to multiple controllers.) with a second (a second controller) private key (“Users of a public key require confidence that the associated private key is owned by the correct remote subject (person or system) with which an encryption or digital signature mechanism will be used. This confidence is obtained through the use of public key certificates, which are data structures that bind public key values to subjects.” § 3.1. possession of the private key is proven by certificate) and a second public security certificate (Oba Figure 9 shows a ‘controller node’ sending a certificate to the coordinator, thus the controller node has been 
transferring, under control of the network administrator, (“Each APN conduit may have the unique configuration parameters tailored by an administrator for the particular needs of each geographic location associated with a particular APN.” Averi ¶ 80) the second public security certificate from the second network manager to the NCN for installation on the NCN, (The NCN being the coordinator of Figure 9. “In this process, X.509 certificate exchange and Elliptic curve Diffie-Hellman (ECDH) key exchange are carried out, and mutual authentication and a session key are established.” Oba ¶ 57) wherein the second public security certificate contains a second public key corresponding to the second private key; (Oba ¶ 57 “X.509 certificate” x.509 certificates comprise public keys)
automatically distributing by the NCN a second certificate file including the second public security certificate and an associated second hash of the second certificate file to the client nodes (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. See Oba ¶ 55, plural nodes), wherein the second public security certificate and second 

As to claims 5 and 20 Oba in view of Cooper and Averi discloses the method/CRM of claims 1 and 17 and further discloses:
discovering that a new client node has been added to the APN creating a new configuration of the APN; (“the device 40 transmits an MIH_MN_Group_Manipulate request message to the coordinator 20. The MIH_MN_Group_Manipulate request message contains “src=IDdev(L), dst=IDdev@IDcdn(L), SAID, Security{TargetID=IDdev@IDctl (E or S), GroupAction=join}”” Oba ¶ 117. Joining means new node.)
exporting the new configuration to the NCN for installation; and (Oba ¶ 117. The device in communication with the NCN/coordinator to join the network.)
automatically sending the public security certificate by the NCN to the new client node after the new configuration has been installed. (“the coordinator 20 transmits an 


Claims 3 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05) and Averi et al., US 2012/0314578 (filed 2012-12), and Zhu et al., US 2015/0156025 (priority date of 2013-04).

As to claims 3 and 19 Oba in view of Cooper and Averi discloses the method/CRM of claims 2 and 18 and further discloses: 
providing the second network manager of the second server to the NCN with credentials signed (Cooper § 4.1.1.3 signature value, signatures are encrypted hashes.) by the second private key to the client nodes; (“the coordinator 20 distributes an X.509 certificate of the controller 30 to the device 40 through pushing (see (11) in FIG. 10).” Oba ¶ 62. See Oba ¶ 55, plural nodes)
to make requests to the client nodes. (Oba ¶¶ 122-123 configuration update commands between controller and device)

Oba in view of Cooper and Averi does not disclose:
checking by the NCN the credentials with the first public security certificate and with the second public security certificate that have been installed; and 


Zhu discloses:
checking by the NCN the credentials with the first public security certificate and with the second public security certificate that have been installed; and (“The client obtains, from the received server handshake message, the identifier of the certificate that the server is ready to use, and searches for the server certificate corresponding to the identifier of the certificate that the server is ready to use, among the server certificates buffered by the client.” Zhu ¶ 110. See also ¶¶ 104 and 105)
permitting the first server, upon finding a match with the first public security certificate, or the second server, upon finding a match with the second public security certificate, (“The client encrypts, by using a public key in a server certificate found by searching, a client key exchange message to be sent, and sends an encrypted client key exchange message to the server. The procedure ends” Zhu ¶ 111. A matching certificate begins the encrypted communication)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper and Averi with Zhu by including the certificate caching mechanisms of Zhu in the key setup/exchange of Oba Figure 9, before allowing the further control aspects of Figures 10 and 25.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the .



Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05), Averi et al., US 2012/0314578. (filed 2012-12), and Hazlewood et al., US 2009/0327708 (filed 2008-05).
As to claims 4 Oba in view of Cooper and Averi discloses the method of claims 1 but does not disclose: 
further comprising: receiving a new public key at a client node; and 
terminating security connections to the client node that use the first public key.

Hazlewood discloses: 
further comprising: receiving a new public key (“"digital certificate" is used to associate an identity, such as an identity of the user, or of a data process system, with one half of the key pair--the "public" key.” Hazlewood ¶ 10) at a client node; and (“process 700 may be used to distribute renewed certificate to replace expired certificates.” Hazlewood ¶ 97)


A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper and Averi with Hazlewood by determining if the provided certificates of Oba were expired/expiring/revoked and forcing and update thereof so as to obtain new certificates to replace the expired certificates.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to renew expired certificates in order to automatically resolve expiring certificates without intervention by a user or administrator, Hazlewood ¶ 30.

Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oba et al., 2016/0066354 (priority date 2014-08) in view of Cooper et al., “Internet X.509 Public Key Infrastructure Certificate” (published 2008-05), Averi et al., US 2012/0314578. (filed 2012-12), and Hicks et al., US 2004/0064760 (filed 2002-09).
GroupAction=join}”” Oba ¶ 117. Joining means new node.)

Oba in view of Cooper and Averi does not disclose:
further comprising: automatically polling for operating statistics of the new configuration of the APN 
Hicks discloses:
further comprising: automatically polling for operating statistics of the new configuration of the APN (“The monitored information may be based on a test of a scheduled duration and polling information specifying when, for example, the device/link Management Information Bases (MIBs) are polled and their utilization statistics are recorded. An exemplary readiness rating operation, with the utilization statistics evaluated and the thresholds applied for particular types of devices/links is as follows.” Hicks ¶ 133, see also table 2-4 on ¶¶ 134-136.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Oba in view of Cooper and Averi with Hicks by retrieving utilization statistics by polling connected network devices in order to assess the network health or readiness.  It would have been obvious to a person of ordinary .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Gabrielson, US 10,454,899, discloses validating certificates of a sender at an intermediary for the purposes of controlling access of data packets to a network.
Guo et al., US 2009/0276841, discloses a trust bridge receiving certificates from clients of a network for intermediating communications with another network.
Gupta et al., US 2013/0024921, discloses a hotspot service provider provisioning a sign-up server with certificates which are then distributed to clients of a WiFi network for authenticating the server.
Hashimoto et al., US 2006/0277406, discloses a management server for managing terminals.  Said terminals validating a certificate of the management server and terminating communication if said certification fails.
Thornton et al., US 2005/0071630, discloses particulars of certificate verification by client devices by extracting keys from the certificates.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MICHAEL W CHAO/Examiner, Art Unit 2492