Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. Claim 14 has been canceled.
Applicant’s arguments, filed 01/07/2021, have been fully considered but they are not persuasive.

Priority
No foreign priority is claimed.
    
Response to Arguments
Applicant presents arguments regarding the presence or absence of claimed limitations in the prior art. However, applicant has amended the claims and in so doing has changed their scope. New grounds of rejection, necessitated by applicant's amendments, are outlined below.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Omum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1-6, 8-12, 15-17 and 19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over various claims of application# 15/650,138, now patent# 10,521,581 B1 (referred to as ‘581 hereinafter). Claims 1-6, 9 and 12 of ‘581 patent claim all the limitations set forth in the instant claims 1-6, 8-12, 15-17 and 19.
Although the conflicting claims are not identical, they are not patentably distinct from each other because the instant application claims are anticipated and covered by similar subject matter as that of generally narrower claims 1-6, 9 and 12 of ‘581 as also shown below.

Claim Comparison Table   
Patent#
10,521,581
Instant Application
16/707,937
1. A method for providing access to a data protection system, the method comprising: receiving a request from a client, wherein the request includes an operation; performing a handshake operation to establish a session with a server included in the data protection system; 
obtaining a client certificate included in the request and determining whether the client certificate is valid; 
extracting a username of a user of the data protection system included in the client certificate when the client certificate is valid; 
determining whether the username is valid on the data protection system; 
obtaining a user role associated with the username when the username is valid on the data protection system, 
wherein the user role is associated with privileges and permissions that the user is granted, 
wherein the privileges and the permissions determine how the client uses the data protection system; 
authorizing the client to perform operations in accordance with the privileges and the permissions; and 
executing the operation when the operation is allowed based on the privileges and the permissions associated with the user role.
1. A method for accessing a data protection system, the method comprising: 
receiving a request from a client, wherein the request includes a client certificate; 




authenticating the client based on the client certificate; 

extracting a username from the client certificate after the client is authenticated


determining a role of the client based on the username, wherein the role maps (mapping implies determining the specified association) the username to permissions associated with the data protection system that determine how the client uses the data protection system; 



determining whether the client is authorized to perform an operation in the data protection system based on the mapping (mapping implies determining the specified association) between the username to the permissions;
and
performing the operation based on the role of the client and on the permissions associated with the role of the client.


Likewise, instant claim 15 is also anticipated by limitations of claim 1 of ‘581. Furthermore, the instant claims 2-6 are anticipated by claims 1, 2, 3, 1, 4 and 5 respectively of ‘581; the instant claims 8-12 are anticipated by claims 6, 1, 9, 12 and 6 respectively of ‘581; the instant claims 15-20 incorporate subject matter from the instant claims 1-13, and therefore similar anticipation reasons apply to those, as applicable. Further, since a computer-readable medium claim may carry out method steps of the claimed methods, it would be obvious to be able to carry out steps of a method, via instructions stored in the computer readable medium.
This is a non-provisional obviousness type double patenting rejection because the conflicting claims have been patented.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-13, 15-16, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Okamura (US 2003/0237004 A1), in view of Scurlock et al. (US 2012/0304271 A1, Scurlock hereinafter).
For claim 1, Okamura teaches a method for accessing a data protection system, the method comprising: receiving a request from a client, wherein the request includes a client certificate (para 0037-0039 – request for function or operation received with corresponding client certificate wherein the request is for communication setup for resource access via client/user certificate validation and authentication);
authenticating the client based on the client certificate (para 0037-0038, 0050-0053); 
extracting a username from the client certificate after the client is authenticated, and determining a role of the client based on the username (para 0102, 0114, 0116 – user id is of a particular web browser (role of associating with that browser); para 0050-0063, 0073-0075, 0139, 0155 – certificate analysis, client id extraction and validation, and user id extractions from the validated client certificate for client validation, wherein the user id is verified or authenticated based on signature), 
wherein the role maps the username to permissions associated with the data protection system that determine how the client uses the data protection system (para 0065, 0080-0081, 0102, 0114, 0116 – user id is of a particular web browser or has a role of associating with that browser, and communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser after validation and authentication operations are done thereby allowing the access operations or providing access privileges); and
performing an operation based on the role of the client and on the permissions associated with the role of the client (para 0065, 0080-0081, 0102, 0114, 0116 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser, wherein the user id is of a particular web browser i.e. role of associating with that browser).
Although mapping or association between different entities and attributes is a common idea that is also well-known in the art for establishing system constraints and security (also disclosed by Okamura – para 0065, 0080-0081, 0102, 0114, 0116 – as discussed above), Okamura does not explicitly disclose, however Scurlock teaches determining whether a client is authorized to perform an operation in the data protection system based on the mapping between the username (from the client certificate) to the permissions; and performing an operation based on the role of the client and on the permissions associated with the role of the client when the client is authorized (para 0007, 0026-0028, 0034 – authentication of certificate, retrieving username from the certificate, determining the associated (or mapped) access rights and privileges for that user which leads to determining of client connection identification for establishing connection, or authorizing the client for operations such as connection or login).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Scurlock in the system of Okamura, in order to determine authorization and privilege determination based on certificate data, thereby making authentication and authorization mechanism more efficient requiring fewer elements yet providing more robust and secure environment.

For claim 2, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches obtaining the client certificate from an object associated with the request (para 0013, 0035-0036, 0037-0039 – request for function or operation received with corresponding client certificate received as part of the client certificate data).

For claim 3, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches authenticating the client based on the client certificate and a CA certificate (para 0037-0038, 0050-0053).

For claim 4, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches determining whether the username is a valid username in the data protection system (para 0050-0053, 0058 – username is validated or authenticated).

For claim 6, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches obtaining the role based on the username, wherein the username is associated with the role and wherein the role defines privileges or permissions of the client (para 0102, 0114, 0116 – user id is of a particular web browser (role of associating with that browser); para 0065, 0080-0081 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser after validation and authentication operations are done thereby allowing the access operations or providing access privileges).

For claim 7, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches determining whether the operation associated with the request is allowed by the role of the client (para 0102, 0114, 0116 – user id is of a particular web browser (role of associating with that browser); para 0065, 0080-0081 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser after validation and authentication operations are done thereby allowing the access operations or providing access privileges, wherein if the user is authenticated using various validation means as indicated above, the user is determined to be allowed to carry out further connectivity and access operations).

For claim 8, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches controlling certificate policies using a certificate revocation list (para 0053, 0132, 0145).

For claim 9, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches authorizing the operation in accordance with the role of the client and the permissions associations associated with the role (para 0065, 0080-0081, 0102, 0114, 0116 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser, wherein the user id is of a particular web browser i.e. role of associating with that browser).

For claim 10, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches revoking the client certificate such that the client is neither authenticated nor authorized in the data protection system (para 0053, 0132, 0145).

For claim 11, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches wherein the client certificate is not valid when the client certificate does not include the username (para 0061-0064, 0088 – matching of user id is attempted, and the fact that validation results are received, it is evident that the validation result can be a match or a no-match, i.e. valid or invalid).

For claim 12, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches controlling and maintaining the permissions and policies of the data protection system at least in part using a certificate revocation list (para 0053, 0132, 0145 – wherein the certificate revocation affects operations of various data protection system components thereby controlling or maintaining permissions and policies of the system).

For claim 13, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches controlling an ability of the client to access data by changing the policy or the role of the client (para 0065, 0080-0081 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser after validation and authentication operations are done thereby allowing the access operations or providing access privileges, wherein if the user is authenticated using various validation means as indicated above, the user is determined to be allowed to carry out further connectivity and access operations; para 0053, 0132, 0145 – wherein the certificate revocation affects operations of various data protection system components thereby controlling or maintaining permissions and policies of the system; i.e. the role and the certificate revocation affects data access abilities of one or more components including the client).

As to claim 15, the claim limitations are similar to those of claim 1, except that claim 15 is drawn to a non-transitory computer readable medium comprising computer executable instructions configured for execution by a processor (Okamura – Fig. 1-2) to implement the method of claim 1. Therefore claim 15 is rejected according to claim 1.

For claim 16, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches obtaining the client certificate from an object associated with the request (para 0013, 0035-0036, 0037-0039 – request for function or operation received with corresponding client certificate received as part of the client certificate data), and authenticating the client based on the client certificate and a CA certificate (para 0037-0038, 0050-0053).

For claim 18, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches obtaining the role based on the username, wherein the username is associated with the role and wherein the role defines privileges or the permissions of the client (para 0102, 0114, 0116 – user id is of a particular web browser (role of associating with that browser); para 0065, 0080-0081 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser after validation and authentication operations are done thereby allowing the access operations or providing access privileges), and determining whether the operation associated with the request is allowed by the role of the client (para 0102, 0114, 0116 – user id is of a particular web browser (role of associating with that browser); para 0065, 0080-0081 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser after validation and authentication operations are done thereby allowing the access operations or providing access privileges, wherein if the user is authenticated using various validation means as indicated above, the user is determined to be allowed to carry out further connectivity and access operations).

For claim 19, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches controlling policies using a certificate revocation list (para 0053, 0132, 0145); authorizing the operation in accordance with the role of the client and the permissions associations associated with the role when the client certificate is not revoked (para 0065, 0080-0081, 0102, 0114, 0116 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser, wherein the user id is of a particular web browser i.e. role of associating with that browser); and revoking the client certificate such that the client is neither authenticated nor authorized in the data protection system (para 0053, 0132, 0145), wherein the client certificate is not valid when the client certificate does not include the username (para 0061-0064, 0088 – matching of user id is attempted, and the fact that validation results are received, it is evident that the validation result can be a match or a no-match, i.e. valid or invalid).

For claim 20, Okamura in view of Scurlock teaches the claimed subject matter as discussed above, and Okamura further teaches controlling and maintaining the permissions and policies of the data protection system at least in part using the certificate revocation list (para 0053, 0132, 0145 – wherein the certificate revocation affects operations of various data protection system components thereby controlling or maintaining permissions and policies of the system); and comprising controlling an ability of the client to access data by changing the policies or the role of the client (para 0065, 0080-0081 – communication setup request for resource access via certificate validation and authentication carried out based on the user’s access to the web browser after validation and authentication operations are done thereby allowing the access operations or providing access privileges, wherein if the user is authenticated using various validation means as indicated above, the user is determined to be allowed to carry out further connectivity and access operations; para 0053, 0132, 0145 – wherein the certificate revocation affects operations of various data protection system components thereby controlling or maintaining permissions and policies of the system; i.e. the role and the certificate revocation affects data access abilities of one or more components including the client).


Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Okamura (US 2003/0237004 A1), in view of Scurlock et al. (US 2012/0304271 A1, Scurlock hereinafter), and further in view of Engert (US 2011/0126003 A1).
For claims 5 and 17, although Okamura teaches expecting certain types of results and checking for invalid entities (para 0075-0077), and it is also very well-known in the art to throw exceptions or error messages in such events, Okamura and Scurlock do not appear to explicitly teach, however Engert teaches constructing an error message if the client certificate is not valid or if the client is not valid (para 0041). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Engert in the system of Okamura and Scurlock in order to provide meaningful messages from the system to the user in order to enhance the operational aspects of the system and make the system more user-friendly.



Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433