DETAILED ACTION

Currently pending claims are 1, 2, 4, 6, 8, 9, 12, 13 and 18 – 23.

Response to Arguments
Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive.
As per claim 1, Applicant asserts prior-art(s) does not teach the newly amended claim element, especially, such as outputting the identifier of the security classification as an extension data structure in the digital certificate (Remarks: Pages 8 – 9).  Examiner respectfully disagrees with the following rationale.
(a) Suzuki first teaches a MAC address of a target device is stored as a part of an "extension" information within a "device certificate" (Suzuki: FIG. 15: see the format of an Extension Section w.r.t. a device certificate); and
(b) the stored MAC address can be associated with a part of white list information used for verifying validity of an issuance request of a device certificate and thus, 
(c) the assiciated MAC address stored at the Extension Section of a device certificate can be used to identify a classification of a white list security group – accordingly, that can be construed as an identifier of the security classification as an extension data structure in the device digital certificate (Suzuki: Col. 5 Line 28 – 34).  As such Applicant's arguments are respectfully traversed.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 4, 6, 8 – 13 and 18 – 23 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Suzuki et al. (U.S. Patent 9,438,583). 

As per claim 21 (& Claim 1 and Claim 18), Suzuki teaches an installation communication network system comprising: 
a first device for operation in an installation communication network containing (Suzuki: Figure 1 / E20a – E20c & Figure 4 / E-20):
an ascertainment unit configured to ascertain security information of the first device, wherein the security information includes at least one of (a) a software level of the device including at least one of a version of the current software of the first device, firmware information of the first device, and implemented applications of the first device, (b) a hash value of the first device, (c) a digital signature of the software level, (d) an attestation of the integrity of the current software of the first device, and (e) an attestation of a configuration of the first device (Suzuki: Figure 1 & Col. 16 Line 34 – 52, Col. 25 Line 2 – 6, Col. 13 Line 3 – 5, Col. 15 Line 1 – 3, Col. 11 Line 6 – 8 / Line 26 – 31 and Col. 12 Line 32 – 37: permitting a communication device (i.e. a 1st device) to communicate over a network by ascertaining security information of the first (1st) device based on (at least) the validaity of a software installed at the 1st device, which is not falsified w.r.t. the version and the hash value(s) of the installed software), and 
a requesting unit configured to enter the security information into a request message, and to output the request message to a certificate issuing apparatus for issue of a digital certificate having an identifier of a security classification of the first device (Suzuki: Figure 15, Col. 11 Line 51 – 54 & Col. 16 Line 34 – 52, Col. 25 Line 2 – 6, Col. 13 Line 3 – 5, Col. 15 Line 1 – 3, Col. 11 Line 6 – 8 / Line 26 – 31 and Col. 12 Line 32 – 37: (a) transmitting a issuance request message to an certificate issuance apparatus and said issance request message includes security information (Col. 11 Line 51 – 54)  for issue of a digital certificate having an identifier of a security classification of the first device (see below)), 
wherein the security classification is based on a check of the security information against a prescribed local or network-wide security policy that indicates the required security classification of all devices in an installation communication network (Suzuki: Col. 16 Line 34 – 52, Col. 25 Line 2 – 6, Col. 13 Line 3 – 5, Col. 15 Line 1 – 3, Col. 11 Line 6 – 8 / Line 26 – 31 and Col. 12 Line 32 – 37: see above & below), and 
wherein the identifier is one of a flag confirming a successful check, or a data structure containing information about the security information such that the security classification is verifiable depending on required security classifications of the installation communication network (Suzuki: Figure 15, Col. 16 Line 42, Col. 11 Line 41 – 45, Col. 25 Line 2 – 6 & see above: the issuance of a digital certificate having an identifier of a security classification of the first device such as (a) a flag confirming a successful check (Suzuki: Col. 16 Line 42) presented in the validity field of the issued digital certificate as a validity indicator / flag (Suzuki: FIG. 15) and (b) a data structure with a context of verifiable security information ((e.g.) hash / signature) (Suzuki: Col. 11 Line 41 – 45) having security classifications such as the version and the hash value(s) of the installed software (see above & Col. 25 Line 2 – 6) presented in the electronic signature field of the issued digital certificate (Suzuki: FIG. 15)); 
a second device (Suzuki: Figure 4 / E-30), comprising: 
a reception unit configured to receive the digital certificate having an identifier of the security classification (Suzuki: see above & Figure 4 / E-31 and Figure 12 / E-S31), 
a verification unit configured so as to verify the identifier of the security classification (Suzuki: see above & Figure 12 / E-S32), and 
a performance unit configured so as to perform security measures in accordance with a verification result of the verification unit using security rules, wherein the security measures include use of a network filter rule (Suzuki: see above & Figure 12 / E-S34: any requirement for validating the security measure so as to filter out any potential malicious attack within a network system constitutes a network filter rule); and 
the certificate issuing apparatus for issuing the digital certificate having the identifier of the security classification (Suzuki: see above & Figure 12 / E-S37), containing: 
a second verification unit configured to check the security information received in the certificate request message against the prescribed local or network-wide security policy (Suzuki: see above & Col. 12 Line 32 – 39), and 
16/069,2026an issuing unit configured to insert the identifier, ascertained therefrom by the certificate issuing apparatus, of the security classification of the first device into the digital certificate (Suzuki: see above & Col. 14 Line 1 – 9), wherein the issuing unit is configured so as to output the identifier of the security classification as an extension data structure in the digital certificate or into an attribute certificate associated with the digital certificate (Suzuki: see above & Figure 5 & Col. 5 Line 28 – 34: (a) Suzuki first teaches a MAC address of a target device is stored as a part of an "extension" information within a "device certificate" (Suzuki: FIG. 15: see the format of an Extension Section of a device certificate, and (b) the stored MAC address can be associated with a part of white list information used for verifying validity of an issuance request of a device certificate (Suzuki: Col. 5 Line 28 – 34) and thus, the assiciated MAC address stored at the Extension Section of a device certificate can be used to identify a classification of a white list security group – accordingly, that can be construed as an identifier of the security classification as an extension data structure in the device digital certificate (Suzuki: Col. 5 Line 28 – 34)).  

As per claim 4, Suzuki teaches wherein the first device requests issue of an identifier of the security classification in an attribute certificate, associated with the digital certificate of the first device, from a certificate issuing apparatus (Suzuki: see above & Col. 14 Line 1 – 9: a digital certificate can be requested from a certificate issuring system and delivered to the requesting entity with a specific fomat (i.e. X509 v.3 format), which is qualified as an attribute certificate).  

As per claim 6, Suzuki teaches wherein the first device ascertains the security information itself and enters it into the request message, in the form of an attribute (Suzuki: see above & Col. 11 Line 25 – 31 / Line 5 – 8 and Col. 25 Line 1 – 6). 

As per claim 8, Suzuki teaches wherein the certificate issuing apparatus checks the security information against a prescribed security guideline and issues a digital certificate having an applicable identifier of a security classification and transmits said digital certificate to the first device (Suzuki: see above). 

As per claim 9, Suzuki teaches wherein the certificate issuing apparatus issues a certificate only in the event of a positive check result or wherein the certificate issuing apparatus issues a certificate containing a prescribed value of the identifier of the security classification even in the event of a negative check result (Suzuki: see above and Col. 16 Line 42 – 52). 

As per claim 12, Suzuki teaches wherein the extension data structure contains, in addition to the identifier of the security classification, information regarding a validity period of the security classification (Suzuki: see above & Figure 15: including a validity period of the security classification).

As per claim 13 and 23, Suzuki teaches wherein the identifier of the security classification is verified in a second device within the context of an authentication of the first device during a connection setup, or is verified during a request for service discovery in a network or during an autoconfiguration of the first device in a security zone of a network or is used for selection of a network filter rule (Suzuki: see above & Col. 14 Line 59 – Col. 15 Line 6 / Line 11 – 17: including a device certificate in an authentication request to setup a connection channel so as to transmit / receive data over the network).

As per claim 19, Suzuki teaches wherein the issuing unit is configured so as to output the identifier of the security classification as an extension data structure in the digital certificate or into an attribute certificate associated with the digital certificate (Suzuki: see above &Figure 15). 

As per claim 20, the claims contains similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.   

As per claim 22, Suzuki teaches wherein the ascertainment unit is configured so as to ascertain the security information from information contained in the device itself (Suzuki: Figure 1 & Col. 16 Line 34 – 52, Col. 25 Line 2 – 6, Col. 13 Line 3 – 5, Col. 15 Line 1 – 3, Col. 11 Line 6 – 8 / Line 26 – 31 and Col. 12 Line 32 – 37: permitting a communication device (i.e. a 1st device) to communicate over a network by ascertaining security information of the first (1st) device based on (at least) the validaity of a software installed at the 1st device, which is not falsified w.r.t. the version and the hash value(s) of the installed software and validating the digital signature as well). 

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Suzuki et al. (U.S. Patent 9,438,583) and in view of Vennelakanti et al. (U.S. Patent 2010/0138908).  

As per claim 2, Vennelakanti (& Suzuki) teaches wherein the digital certificate having an identifier of the security classification is provided to the first device, in particular during manufacture or startup of the first device (Vennelakanti: Para [0010] / [0016]: security capability classification information included in a digital certificate can contain the security information pre-installed from a manufacturing entity so as to avoid the loss after a hard reset of the device).             It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of Vennelakanti within the system of Suzuki because (a) Suzuki teaches using a digital certificate with designated security information to setup a connection over a network based on the networking security criteria (see above), and (b) Vennelakanti teaches security information included in a digital certificate can contain the security information pre-installed from a manufacturing entity so as to avoid the loss after a hard reset of the device (see above). 




Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2212 – 2021
---------------------------------------------------