DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1, 3-20 are pending.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Buer (PGPUB 2008/0215890), and further in view of Ronda et al (PGPUB 2011/0265159), Brockhaus et al (PGPUB 2018/0359241), and Sudia (US 5,799,086).

Regarding Claim 1:
	Buer teaches an information registration method for a terminal (paragraph 40, method for secure enrollment of biometric templates), comprising: 
receiving first authentication information fed back by an authentication server (paragraph 35-38, remote biometric authentication processor 150 generates signed hash of message comprising symmetric key and transmits message to sensor platform; remote biometric authentication platform sends digital certificate to sensor platform; digital certificate and symmetric key can be seen as “first authentication information”); 
sending a standard information acquisition request and the first authentication information to a first application (paragraph 36-38, sensor platform receives signed message and digital certificate, i.e. “first authentication information”; message requires sensor platform to retrieve information (public key) to validate authenticity of certificate), and acquiring signed standard information and an identity identifier of the standard information that are returned by the first application after the first application approves authentication of the first authentication information (paragraph 38, 42-46, sensor platform validates authenticity of provided certificate using public key of certificate authority, and uses public key provided in certificate to verify signature of message; enrollment station or enrollment logic takes biometric scan of user and converts the scan data to biometric template; sensor platform generates message including user’s template and identification of user; sensor platform encrypts all or portion of message using symmetric key and hashes and signs the encrypted message; paragraph 47, encrypted and signed message transmitted to remote biometric authentication processor), wherein the signed standard information is signed by the first application using second authentication information (paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, message is signed using sensor platform private key), wherein the second authentication information indicates the identity of the first application (paragraph 29, certification authority authenticates identity of sensor platform and binds identity of sensor platform to public private key pair; digital certificate includes public key of sensor platform and identifier; paragraph 33, sensor platform transmits message including digital certificate to remote biometric authentication processor; paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, since public/private key is bound to identity of sensor platform, signature with private key indicates identity of sensor platform, as public key will only verify private key signature of sensor platform); and 
sending the signed standard information, the identity identifier of the standard information, and the first authentication information to the authentication server (paragraph 44-47, sensor platform generates message including user’s template, and identification of the user; message encrypted using symmetric key (first authentication information of authentication server), and signed using sensor platform private key; message is transmitted to remote biometric authentication processor), to cause the authentication server to register the standard information and the identity identifier of the standard information (paragraph 49, if both validation and decryption are successful, remote biometric authentication processor stores template in memory associated with user identifier) after the authentication server approves authentication of the first authentication information (paragraph 48, remote biometric authentication processor decrypts message using symmetric key; if both validation of the signature and decryption are successful, remote biometric authentication processor 150 can assume that the message originated from the legitimate sensor platform 110) and approves authentication of the second authentication information according to the signed standard information (paragraph 48, remote biometric authentication processor 150 validates the signature included in the message using the stored public key of the platform (provided in the digital certificate); if both the validation of the signature and the decryption are successful, remote biometric authentication processor 150 can assume that the message originated from the legitimate sensor platform 110).
Buer does not explicitly teach sending a request for registering standard information to an authentication server; and
generating the standard information acquisition request.
(paragraph 120, registration process implemented by Token Manager; paragraph 124, user uses web browser to log into Relying Party Server and request registration of Token Manager; paragraph 127-128, browser receives registration ticket and provides Registration Server with registration ticket representing request for registration of Token Manager); and
generating a standard information acquisition request, and sending the standard information acquisition request and the first authentication information to a first application (paragraph 130-131, Registration Server 160 may then encrypt the signed registration message RegistrationMsg and the signed session token (and the signed server pseudo-random code, if generated) with the Token Manager's Public Certificate THPubC; Network Client 345 forwards the encrypted data and the Registration Server's Public Certificate RSPubC to the Token Manager 100).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the request-generating application teachings of Ronda with the authentication registration teachings of Buer, in order to create a system of interchangeable functions, which allows certain functions, such as authentication functions, to be updated or replaced without requiring changes to the basic application framework.  In such a case, the application generating requests would not need to know the status of the authentication elements, and would simply be able to request services or functions and be able to take advantage of whatever updates, upgrades, or security fixes had been applied to said authentication elements, thereby improving the security environment.
	Neither Buer nor Ronda explicitly teaches wherein the first authentication information comprises a certificate from the authentication server and signed by using the authentication server’s own first encryption key, and using the signed certificate as the first authentication information.
(paragraph 49-52, device requests authentication token comprising digital certificate from authorization apparatus; paragraph 58, authorization apparatus includes certification authority; paragraph 55-56, device request for new authentication token includes device certificate with digital signature of issuing authority; device certificate therefore comprises received certificate with signature of authentication server; device certificate transmitted to authentication server for authentication; authentication server therefore receives server signed certificate from end user device which previously received certificate from authentication server).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the server-provided certificate verification teachings of Brockhaus with the authentication registration teachings of Buer in view of Ronda, in order to improve the security of a system by providing a server for issuing device certificates, and verifying, by said server, that a device requesting authorization/authentication/registration was in possession of a server-signed certificate, thereby preventing unauthorized agents from obtaining access to the system.
Neither Buer nor Ronda nor Brockhaus explicitly teaches wherein the second authentication information indicates the identity of the terminal.
However, Sudia teaches the concept wherein signed standard information is signed by a first application using authentication information (col 43 line 58-col 44 line 17, trusted device equipped with private signature key; col 44 line 18-33, user initiates request to register device; registration request signed by device and accompanied by manufacturer’s device certificate in order to vouch for signature), wherein the authentication information indicates the identity of a terminal (col 44 line 18-33, trusted third party (TTP), using appropriate public keys, verifies manufacturer’s signature on the device certificate and the device signature on the information in the registration request; private key of device used to sign request therefore indicates identity of the device through use of associated public key to decrypt); and
Buer teaches wherein the authentication information is second authentication information (paragraph 48, use of sensor platform public key to verify signature made with corresponding private key).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication information indicating the identity of a terminal teachings of with the authentication registration teachings of Buer in view of Ronda and Brockhaus, in order to improve the security of a system by linking the identifying information of a device to a device key signature, thereby ensuring that registration requests are only accepted from devices which are determined to be authorized based on said identifying information. 

Regarding Claim 3:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method of claim 1.  In addition, Ronda teaches wherein: 
the method is implementable by a terminal comprising the first application and a second application (paragraph 65, Computer Host comprises Network Client 345/local browser 400 (i.e. second application); paragraph 125, Token Manager (i.e. first application) implemented as internal device to Computer Host); 
the step of sending a request for registering standard information to an authentication server comprises sending, by the second application, the request for registering standard information to the authentication server (paragraph 124, Fig. 6a, Network Client uses browser to request Registration of Token Manager from Relying Party Server/Registration Server); 
(paragraph 130, Fig. 6a, Registration Server encrypts signed registration message RegistrationMsg and signed session token with Token Manager’s Public Certificate THPubC, embeds encrypted data and Registration Server Public Certificate RSPubC in browser cookie, and sends cookie to browser/Network Client); 
the step of generating a standard information acquisition request comprises generating, by the second application, the standard information acquisition request (paragraph 131, Fig. 6a, Network Client forwards encrypted data and Registration Server’s RSPubC to Token Manager; extracting data and certificate from cookie can be seen as generation process); 
the step of sending the standard information acquisition request and the authentication information to a first application comprises sending, by the second application, the standard information acquisition request and the authentication information to the first application (paragraph 131, Fig. 6a, Network Client forwards encrypted data and Registration Server’s RSPubC to Token Manager); the step of acquiring signed standard information and an identity identifier of the standard information that are returned by the first application comprises acquiring, by the second application, the signed standard information and the identity identifier of the standard information that are returned by the first application (paragraph 134, Token Manager implements credential as digital certificate; digital certificate comprises public encryption key SPubK, session token received from Registration Server (authentication data), and distinguished name of Token Manager Public Certificate; paragraph 136, Token Manager signs Session Certificate with private encryption key THPrivK; paragraph 137, Fig. 6a, Network Client receives and stores Session Certificate from Token Manager); and 
the step of sending the signed standard information, the identity identifier of the standard information, and the authentication information to the authentication server comprises sending, by the (paragraph 139, Network Client uses browser to transmit credential and Token Manager Public Certificate THPubC to Registration Server; paragraph 134, Token Manager implements credential as digital certificate; digital certificate comprises public encryption key SPubK, session token received from Registration Server (authentication data), and distinguished name of Token Manager Public Certificate); and
Brockhaus teaches wherein the authentication information is the first authentication information (paragraph 49-52, device requests authentication token comprising digital certificate from authorization apparatus; paragraph 58, authorization apparatus includes certification authority; paragraph 55-56, device request for new authentication token includes device certificate with digital signature of issuing authority; device certificate therefore comprises received certificate with signature of authentication server; device certificate transmitted to authentication server for authentication; authentication server therefore receives server signed certificate from end user device which previously received certificate from authentication server).
The rational to combine Buer, Ronda, and Brockhaus is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 3.

Regarding Claim 4:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method of claim 3.  In addition, Ronda teaches wherein prior to the step of acquiring signed standard information and an identity identifier of the standard information that are returned by the first application, the method further comprises: 
receiving, by the first application, the authentication information and the standard information acquisition request from the second application (paragraph 130, Fig. 6a, Registration Server encrypts signed registration message RegistrationMsg session token with Token Manager’s Public Certificate THPubC, embeds encrypted data and Registration Server Public Certificate RSPubC in browser cookie, and sends cookie to browser/Network Client; paragraph 131, Fig. 6a, Network Client forwards encrypted data and Registration Server’s RSPubC to Token Manager);
authenticating, by the first application, the authentication information (paragraph 131, Fig. 6a, Token Manager validates signed RegistrationMsg and SessionToken); and 
after the authentication is approved, returning, by the first application, standard information signed by using second authentication information and returning, by the first application, the identity identifier of the standard information back to the second application (paragraph 134, Token Manager implements credential as digital certificate; digital certificate comprises public encryption key SPubK, session token received from Registration Server (authentication data), and distinguished name of Token Manager Public Certificate; paragraph 136, Token Manager signs Session Certificate with private encryption key THPrivK; paragraph 137, Fig. 6a, Network Client receives and stores Session Certificate from Token Manager); and
Brockhaus teaches wherein the authentication information is the first authentication information (paragraph 49-52, device requests authentication token comprising digital certificate from authorization apparatus; paragraph 58, authorization apparatus includes certification authority; paragraph 55-56, device request for new authentication token includes device certificate with digital signature of issuing authority; device certificate therefore comprises received certificate with signature of authentication server; device certificate transmitted to authentication server for authentication; authentication server therefore receives server signed certificate from end user device which previously received certificate from authentication server).
The rational to combine Buer, Ronda, and Brockhaus is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 4.

Claim 5:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 4.  In addition Ronda teaches the method, further comprising: 
sending, by the second application, a verification request for to-be-authenticated information to the authentication server (paragraph 167, authentication process initiated when user starts session of browser and logs into Relying Party Server; paragraph 168, 170, Relying Party Server validates user’s login credentials and determines whether user has registered Token Manager with Relying Party Server; if so, Relying Party Server generates authentication message; login therefore represents request to verify Token Manager credentials); 
receiving, by the second application, third authentication information fed back by the authentication server (paragraph 169-170, Relying Party Server generates session token (third authentication information) and random number, and signs with Relying Party Server’s private key; Server generates encrypted authentication message by encrypting signed random number and session token, embeds in browser cookie, and sends to browser); 
generating, by the second application, a to-be-authenticated information acquisition request, sending the to-be-authenticated information acquisition request and the third authentication information to the first application (paragraph 171, Network Client extracts encrypted data and Relying Party Server’s Public Certificate from cookie and forwards to Token Manager), and acquiring to-be-authenticated information and a to-be-authenticated identity identifier of the to-be-authenticated information returned by the first application after the first application approves authentication of the third authentication information (paragraph 174, Fig. 7, Token Manager decrypts authentication message and validates signed random number and session token; paragraph 177-178, Token Manager generates credential comprising session public encryption key SPubK, the session token, and the distinguished name of the User-RP Public Certificate (to-be-authenticated identity identifier); paragraph 184, Token Manager signs session certificate with User-Relying Party private key URPPrivK; paragraph 188, Network Client receives credential and uses browser to transmit credential to Relying Party Server); and 
sending, by the second application, the to-be-authenticated information, the to-be- authenticated identity identifier, and the third authentication information to the authentication server (paragraph 188, Network Client uses browser to transmit credential to Relying Party Server; paragraph 177-178, Token Manager generates credential comprising session public encryption key SPubK, the session token (third authentication information), and the distinguished name of the User-RP Public Certificate (to-be-authenticated identity identifier); paragraph 184, Token Manager signs session certificate with User-Relying Party private key URPPrivK (to-be-authenticated information)), to cause the authentication server to authenticate the third authentication information, the to-be-authenticated identity identifier, and the to-be-authenticated information (paragraph 188, Relying Party server validates credential using User-RP Public Certificate URPPubC, thereby verifying User-RP Public Certificate URPPubC as named, and validates session token), generate an authentication result (paragraph 192, if validation is successful, the browser 400 and the Relying Party Server 140 establish a mutually-authenticated encrypted TLS session; if the credential comprised the Session Certificate SCert, preferably the Relying Party Server 140 transmits the authentication payload to the browser 400, thereby allowing the browser 400 and the Relying Party Server 140 to establish the mutually authenticated TLS session using the Session Certificate SCert and the Relying Party Server's Public Certificate WSRPPubC), and feed the authentication result back to a second application (paragraph 192, Relying Party Server 140 transmits the authentication payload to the browser 400).
The rational to combine Buer and Ronda is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 5.

Claim 6:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 5.  In addition, Ronda teaches wherein prior to the step of acquiring to-be-authenticated information and a to-be-authenticated identity identifier of the to-be-authenticated information returned by the first application after the first application approves authentication of the third authentication information, the method further comprises: 
receiving, by the first application, the to-be-authenticated information acquisition request from the second application (paragraph 169-170, Relying Party Server generates session token (third authentication information) and random number, and signs with Relying Party Server’s private key; Server generates encrypted authentication message by encrypting signed random number and session token, embeds in browser cookie, and sends to browser; paragraph 171, Network Client extracts encrypted data and Relying Party Server’s Public Certificate from cookie and forwards to Token Manager), 
authenticating, by the first application, the third authentication information (paragraph 174, Fig. 7, Token Manager decrypts authentication message and validates signed random number and session token), and 
after the authentication is approved, sending, by the first application, the to-be-authenticated information and an identity identifier of the to-be-authenticated information to the authentication server via the second application (paragraph 174, Fig. 7, Token Manager decrypts authentication message and validates signed random number and session token; paragraph 177-178, Token Manager generates credential comprising session public encryption key SPubK, the session token, and the distinguished name of the User-RP Public Certificate (to-be-authenticated identity identifier); paragraph 184, Token Manager signs session certificate with User-Relying Party private key URPPrivK; paragraph 188, Network Client receives credential and uses browser to transmit credential to Relying Party Server).
The rational to combine Buer and Ronda is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 6.

Regarding Claim 7:
Buer teaches an information registration method for a terminal (paragraph 40, method for secure enrollment of biometric templates), comprising: 
receiving first authentication information and a standard information acquisition request (paragraph 36-38, sensor platform receives signed message and digital certificate, i.e. “first authentication information”; message requires sensor platform to retrieve information (public key) to validate authenticity of certificate); and 
authenticating the first authentication information (paragraph 38, 42-46, sensor platform validates authenticity of provided certificate using public key of certificate authority, and uses public key provided in certificate to verify signature of message), and after the authentication is approved, returning standard information signed by using second authentication information and returning an identity identifier of the standard information (paragraph 38, 42-46, sensor platform validates authenticity of provided certificate using public key of certificate authority, and uses public key provided in certificate to verify signature of message; enrollment station or enrollment logic takes biometric scan of user and converts the scan data to biometric template; sensor platform generates message including user’s template and identification of user; sensor platform encrypts all or portion of message using symmetric key and hashes and signs the encrypted message; paragraph 47, encrypted and signed message transmitted to remote biometric authentication processor; paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, message is signed using sensor platform private key), wherein the second authentication information indicates the identity of the first application (paragraph 29, certification authority authenticates identity of sensor platform and binds identity of sensor platform to public private key pair; digital certificate includes public key of sensor platform and identifier; paragraph 33, sensor platform transmits message including digital certificate to remote biometric authentication processor; paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, since public/private key is bound to identity of sensor platform, signature with private key indicates identity of sensor platform, as public key will only verify private key signature of sensor platform), and to cause the authentication server to register the standard information and the identity identifier of the standard information (paragraph 49, if both validation and decryption are successful, remote biometric authentication processor stores template in memory associated with user identifier) after the authentication server approves authentication of the first authentication information (paragraph 48, remote biometric authentication processor decrypts message using symmetric key; if both validation of the signature and decryption are successful, remote biometric authentication processor 150 can assume that the message originated from the legitimate sensor platform 110) and approves authentication of the second authentication information according to the signed standard information (paragraph 48, remote biometric authentication processor 150 validates the signature included in the message using the stored public key of the platform (provided in the digital certificate); if both the validation of the signature and the decryption are successful, remote biometric authentication processor 150 can assume that the message originated from the legitimate sensor platform 110).
Buer does not explicitly teach receiving from a second application;

However, Ronda teaches the concept of receiving first authentication information and a standard information acquisition request from a second application (paragraph 130-131, Registration Server 160 may then encrypt the signed registration message RegistrationMsg and the signed session token (and the signed server pseudo-random code, if generated) with the Token Manager's Public Certificate THPubC; Network Client 345 forwards the encrypted data and the Registration Server's Public Certificate RSPubC to the Token Manager 100); and
returning standard information and returning an identity identifier of the standard information back to the second application, to cause the second application to send signed standard information and the identity identifier of the standard information to an authentication server (paragraph 134, Token Manager implements credential as digital certificate; digital certificate comprises public encryption key SPubK, session token received from Registration Server (authentication data), and distinguished name of Token Manager Public Certificate; paragraph 136, Token Manager signs Session Certificate with private encryption key THPrivK; paragraph 137, Fig. 6a, Network Client receives and stores Session Certificate from Token Manager; paragraph 139, Network Client uses browser to transmit credential and Token Manager Public Certificate THPubC to Registration Server; paragraph 134, Token Manager implements credential as digital certificate; digital certificate comprises public encryption key SPubK, session token received from Registration Server (authentication data), and distinguished name of Token Manager Public Certificate).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the request-generating application teachings of Ronda with the authentication registration teachings of Buer, in order to create a system of interchangeable functions, 
Neither Buer nor Ronda explicitly teaches wherein the first authentication information comprises a signed certificate of an authentication server.
	However, Brockhaus teaches the concept wherein first authentication information comprises a signed certificate of an authentication server (paragraph 49-52, device requests authentication token comprising digital certificate from authorization apparatus; paragraph 58, authorization apparatus includes certification authority; paragraph 55-56, device request for new authentication token includes device certificate with digital signature of issuing authority; device certificate therefore comprises received certificate with signature of authentication server; device certificate transmitted to authentication server for authentication; authentication server therefore receives server signed certificate from end user device which previously received certificate from authentication server).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the server-provided certificate verification teachings of Brockhaus with the authentication registration teachings of Buer in view of Ronda, in order to improve the security of a system by providing a server for issuing device certificates, and verifying, by said server, that a device requesting authorization/authentication/registration was in possession of a server-signed certificate, thereby preventing unauthorized agents from obtaining access to the system.
Neither Buer nor Ronda nor Brockhaus explicitly teaches wherein the second authentication information indicates the identity of the terminal.
(col 43 line 58-col 44 line 17, trusted device equipped with private signature key; col 44 line 18-33, user initiates request to register device; registration request signed by device and accompanied by manufacturer’s device certificate in order to vouch for signature), wherein the authentication information indicates the identity of a terminal (col 44 line 18-33, trusted third party (TTP), using appropriate public keys, verifies manufacturer’s signature on the device certificate and the device signature on the information in the registration request; private key of device used to sign request therefore indicates identity of the device through use of associated public key to decrypt); and
Buer teaches wherein the authentication information is second authentication information (paragraph 48, use of sensor platform public key to verify signature made with corresponding private key).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication information indicating the identity of a terminal teachings of with the authentication registration teachings of Buer in view of Ronda and Brockhaus, in order to improve the security of a system by linking the identifying information of a device to a device key signature, thereby ensuring that registration requests are only accepted from devices which are determined to be authorized based on said identifying information. 

Regarding Claim 8:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 7.  In addition, Buer teaches wherein the step of returning standard information signed by using second authentication information and an identity identifier of the standard information comprises: 
(paragraph 43, enrollment station or enrollment logic takes biometric scan of user and converts the scan data to a biometric template); 
using the second authentication information to sign the standard information (paragraph 44-46, sensor platform generates message including user’s template and signs encrypted message, as above), and determining the identity identifier of the standard information for the standard information (paragraph 44, message includes identification of the user); and 
returning the signed standard information and the identity identifier of the standard information (paragraph 47, encrypted and signed message is transmitted to remote biometric authentication processor); and
Ronda teaches returning back to the second application (paragraph 137, Fig. 6a, Network Client receives and stores Session Certificate from Token Manager).
The rational to combine Buer and Ronda is the same as provided for claim 7 due to the overlapping subject matter between claims 7 and 8.

Regarding Claim 9:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 7.  In addition, Buer teaches wherein: 
the step of authenticating the first authentication information comprises: using a first decryption key that matches a first encryption key of the authentication server to decrypt and authenticate the signed certificate (paragraph 36-38, remote biometric authentication processor generates hash of message and signs the hash, and sends message and digital certificate to sensor platform; sensor platform uses public key of certificate authority to verify certificate and public key provided in certificate to verify signature on message).

Claim 10:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 8.  In addition, Buer teaches wherein the identity identifier of the standard information comprises identity key information of the standard information, and the identity key information is associated with account information of the user (paragraph 44, message includes user’s template and identification of the user (i.e. identity key information of the standard information); paragraph 49, template associated with user identifier, e.g. user ID; template is stored in memory associated with said user ID).

Regarding Claim 11:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 8.  In addition, Buer teaches wherein: 
the second authentication information comprises second key information agreed by the authentication server in advance (paragraph 29, digital certificate binds identity of sensor platform to public/private key pair; paragraph 33, sensor platform transmits message including its digital certificate to remote biometric authentication processor), wherein the second key information comprises a second encryption key and a second decryption key (paragraph 29, digital certificate binds identity of sensor platform to public/private key pair); and 
the step of using the second authentication information to sign the standard information comprises: using the second encryption key agreed by the authentication server in advance to sign the standard information (paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, message is signed using sensor platform private key).

Regarding Claim 12:

receiving a to-be-authenticated information acquisition request from the second application and carrying third authentication information (paragraph 169-170, Relying Party Server generates session token (third authentication information) and random number, and signs with Relying Party Server’s private key; Server generates encrypted authentication message by encrypting signed random number and session token, embeds in browser cookie, and sends to browser; paragraph 171, Network Client extracts encrypted data and Relying Party Server’s Public Certificate from cookie and forwards to Token Manager); and 
authenticating the third authentication information, and after the authentication is approved, sending the to-be-authenticated information and an identity identifier of the to-be-authenticated information to an authentication server via the second application (paragraph 174, Fig. 7, Token Manager decrypts authentication message and validates signed random number and session token; paragraph 177-178, Token Manager generates credential comprising session public encryption key SPubK, the session token, and the distinguished name of the User-RP Public Certificate (to-be-authenticated identity identifier); paragraph 184, Token Manager signs session certificate with User-Relying Party private key URPPrivK; paragraph 188, Network Client receives credential and uses browser to transmit credential to Relying Party Server), to cause the authentication server to authenticate the third authentication information, the to-be-authenticated identity identifier, and the to-be-authenticated information (paragraph 188, Relying Party server validates credential using User-RP Public Certificate URPPubC, thereby verifying User-RP Public Certificate URPPubC as named, and validates session token), generate an authentication result (paragraph 192, if validation is successful, the browser 400 and the Relying Party Server 140 establish a mutually-authenticated encrypted TLS session; if the credential comprised the Session Certificate SCert, preferably the Relying Party Server 140 transmits the authentication payload to the browser 400, thereby allowing the browser 400 and the Relying Party Server 140 to establish the mutually authenticated TLS session using the Session Certificate SCert and the Relying Party Server's Public Certificate WSRPPubC), and feed the authentication result back to the second application (paragraph 192, Relying Party Server 140 transmits the authentication payload to the browser 400).
The rational to combine Buer and Ronda is the same as provided for claim 7 due to the overlapping subject matter between claims 7 and 12.

Regarding Claim 13:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 12.  In addition, Ronda teaches wherein the step of returning, according to a standard information acquisition request carrying the third authentication information, the to-be- authenticated information and an identity identifier of the to-be-authenticated information back to the second application comprises: 
authenticating the third authentication information carried in the standard information acquisition request (paragraph 174, Fig. 7, Token Manager decrypts authentication message and validates signed random number and session token); 
after the authentication is approved, receiving to-be-authenticated information (paragraph 174, Fig. 7, Token Manager decrypts authentication message and validates signed random number and session token; paragraph 177-178, Token Manager generates credential); 
identifying the standard information to which the to-be-authenticated information belongs, and determining the identity standard matching the standard information to be to-be-authenticated identity identifier of the to-be-authenticated information (paragraph 177-178, Token Manager generates credential comprising session public encryption key SPubK, the session token, and the distinguished name of the User-RP Public Certificate (to-be-authenticated identity identifier); paragraph 184, Token Manager signs session certificate with User-Relying Party private key URPPrivK); and returning the to-be-authenticated information and the to-be-authenticated identity identifier of the to-be-authenticated information back to the second application (paragraph 188, Network Client receives credential and uses browser to transmit credential to Relying Party Server); and
Buer teaches receiving to-be-authenticated information input by a user (paragraph 52, biometric scan is performed and scan data converted into template for authentication).
The rational to combine Buer and Ronda is the same as provided for claim 7 due to the overlapping subject matter between claims 7 and 13.

Regarding Claim 14:
Buer teaches an information registration method (paragraph 40, method for secure enrollment of biometric templates), comprising: 
generating first authentication information and feeding the first authentication information back to a second application (paragraph 35-38, remote biometric authentication processor 150 generates signed hash of message comprising symmetric key and transmits message to sensor platform; remote biometric authentication platform sends digital certificate to sensor platform; digital certificate and symmetric key can be seen as “first authentication information”); 
receiving signed standard information, an identity identifier of the standard information, and the first authentication information from the second application (paragraph 44-47, sensor platform generates message including user’s template, and identification of the user; message encrypted using symmetric key (first authentication information of authentication server), and signed using sensor platform private key; message is transmitted to remote biometric authentication processor), wherein the signed standard information is signed by using second authentication information (paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, message is signed using sensor platform private key), and wherein the second authentication information indicates the identity of the first application (paragraph 29, certification authority authenticates identity of sensor platform and binds identity of sensor platform to public private key pair; digital certificate includes public key of sensor platform and identifier; paragraph 33, sensor platform transmits message including digital certificate to remote biometric authentication processor; paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, since public/private key is bound to identity of sensor platform, signature with private key indicates identity of sensor platform, as public key will only verify private key signature of sensor platform); 
authenticating the first authentication information, and authenticating the second authentication information according to the signed standard information (paragraph 48, remote biometric authentication processor decrypts message using symmetric key; paragraph 48, remote biometric authentication processor 150 validates the signature included in the message using the stored public key of the platform (provided in the digital certificate); if both the validation of the signature and the decryption are successful, remote biometric authentication processor 150 can assume that the message originated from the legitimate sensor platform 110); and 
registering the standard information and the identity identifier of the standard information after approving the authentications of the first authentication information and the second authentication information (paragraph 49, if both validation and decryption are successful, remote biometric authentication processor stores template in memory associated with user identifier).
Buer does not explicitly teach receiving, by an authentication server, a request for registering standard information from a second application executing on a terminal; 
generating, according to the request for registering standard information; and
wherein the signed standard information is sent to the second application by a first application.
(paragraph 120, registration process implemented by Token Manager; paragraph 124, user uses web browser to log into Relying Party Server and request registration of Token Manager; paragraph 127-128, browser receives registration ticket and provides Registration Server with registration ticket representing request for registration of Token Manager); 
generating, according to the request for registering standard information, first authentication information and feeding the first authentication information back to the second application (paragraph 130, Fig. 6a, Registration Server encrypts signed registration message RegistrationMsg and signed session token with Token Manager’s Public Certificate THPubC, embeds encrypted data and Registration Server Public Certificate RSPubC in browser cookie, and sends cookie to browser/Network Client); and
wherein signed standard information is sent to the second application by a first application (paragraph 134, Token Manager implements credential as digital certificate; digital certificate comprises public encryption key SPubK, session token received from Registration Server (authentication data), and distinguished name of Token Manager Public Certificate; paragraph 136, Token Manager signs Session Certificate with private encryption key THPrivK; paragraph 137, Fig. 6a, Network Client receives and stores Session Certificate from Token Manager).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the request-generating application teachings of Ronda with the authentication registration teachings of Buer, in order to create a system of interchangeable functions, which allows certain functions, such as authentication functions, to be updated or replaced without requiring changes to the basic application framework.  In such a case, the application generating requests would not need to know the status of the authentication elements, and would simply be able 
Neither Buer nor Ronda explicitly teaches wherein the first authentication information comprises the authentication server’s own certificate.
	However, Brockhaus teaches the concept wherein first authentication information comprises an authentication server’s own certificate (paragraph 49-52, device requests authentication token comprising digital certificate from authorization apparatus; paragraph 58, authorization apparatus includes certification authority; paragraph 55-56, device request for new authentication token includes device certificate with digital signature of issuing authority; device certificate therefore comprises received certificate with signature of authentication server; device certificate transmitted to authentication server for authentication; authentication server therefore receives server signed certificate from end user device which previously received certificate from authentication server).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the server-provided certificate verification teachings of Brockhaus with the authentication registration teachings of Buer in view of Ronda, in order to improve the security of a system by providing a server for issuing device certificates, and verifying, by said server, that a device requesting authorization/authentication/registration was in possession of a server-signed certificate, thereby preventing unauthorized agents from obtaining access to the system.
Neither Buer nor Ronda nor Brockhaus explicitly teaches wherein the second authentication information indicates the identity of the terminal.
However, Sudia teaches the concept wherein signed standard information is signed by a first application using authentication information (col 43 line 58-col 44 line 17, trusted device equipped with private signature key; col 44 line 18-33, user initiates request to register device; registration request signed by device and accompanied by manufacturer’s device certificate in order to vouch for signature), wherein the authentication information indicates the identity of a terminal (col 44 line 18-33, trusted third party (TTP), using appropriate public keys, verifies manufacturer’s signature on the device certificate and the device signature on the information in the registration request; private key of device used to sign request therefore indicates identity of the device through use of associated public key to decrypt); and
Buer teaches wherein the authentication information is second authentication information (paragraph 48, use of sensor platform public key to verify signature made with corresponding private key).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the authentication information indicating the identity of a terminal teachings of with the authentication registration teachings of Buer in view of Ronda and Brockhaus, in order to improve the security of a system by linking the identifying information of a device to a device key signature, thereby ensuring that registration requests are only accepted from devices which are determined to be authorized based on said identifying information. 

Regarding Claim 15:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 14.  In addition, Buer teaches wherein the step of generating, according to the request for registering standard information, first authentication information and feeding the first authentication information back to the second application comprises: 
using the authentication server's own first encryption key to sign the certificate as the first authentication information, and feeding the first authentication information back to the second (paragraph 38, sensor platform receives digital certificate and validates the authenticity of the certificate using the public key, i.e. signature verification); and
Ronda teaches generating, according to the request for registering standard information (paragraph 130, Fig. 6a, Registration Server encrypts signed registration message RegistrationMsg and signed session token with Token Manager’s Public Certificate THPubC, embeds encrypted data and Registration Server Public Certificate RSPubC in browser cookie, and sends cookie to browser/Network Client); and
invoking, according to the request for registering standard information (paragraph 130, Fig. 6a, Registration Server embeds Registration Server Public Certificate in browser cookie and sends to browser).
The rational to combine Buer and Ronda is the same as provided for claim 14 due to the overlapping subject matter between claims 14 and 15.

Regarding Claim 16:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 14.  In addition, Ronda teaches wherein the step of authenticating the authentication information comprises: using a first decryption key to decrypt and authenticate the authentication information (paragraph 137, Fig. 6a, Network Client receives and stores Session Certificate from Token Manager; paragraph 139, Network Client uses browser to transmit credential and Token Manager Public Certificate THPubC to Registration Server; paragraph 134, Token Manager implements credential as digital certificate; digital certificate comprises public encryption key SPubK, session token received from Registration Server (authentication data), and distinguished name of Token Manager Public Certificate; paragraph 139, Registration Server validates credential signature using Token Manager Public Certificate THPubC, including session token (authentication data)); and
(paragraph 49-52, device requests authentication token comprising digital certificate from authorization apparatus; paragraph 58, authorization apparatus includes certification authority; paragraph 55-56, device request for new authentication token includes device certificate with digital signature of issuing authority; device certificate therefore comprises received certificate with signature of authentication server; device certificate transmitted to authentication server for authentication; authentication server therefore receives server signed certificate from end user device which previously received certificate from authentication server).
The rational to combine Buer, Ronda, and Brockhaus is the same as provided for claim 14 due to the overlapping subject matter between claims 14 and 16.

Regarding Claim 17:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 14.  In addition, Buer teaches wherein the second authentication information comprises second key information agreed by the authentication server and the first application in advance (paragraph 29, digital certificate binds identity of sensor platform to public/private key pair; paragraph 33, sensor platform transmits message including its digital certificate to remote biometric authentication processor), wherein the second key information comprises a second encryption key and a second decryption key (paragraph 29, digital certificate binds identity of sensor platform to public/private key pair); the signed standard information is signed by the first application using the second encryption key (paragraph 44-46, sensor platform generates message including user’s template and signs encrypted message, as above); and 
the step of authenticating the second authentication information according to the signed standard information comprises: according to the second key information agreed in advance, using the (paragraph 48, remote biometric authentication processor validates signature included in message using stored public key of sensor platform; therefore, message is signed using sensor platform private key).

Regarding Claim 18:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 14.  In addition, Ronda teaches the method, further comprising: 
receiving, by the authentication server, a verification request for to-be-authenticated information from the second application (paragraph 167, authentication process initiated when user starts session of browser and logs into Relying Party Server; paragraph 168, 170, Relying Party Server validates user’s login credentials and determines whether user has registered Token Manager with Relying Party Server; if so, Relying Party Server generates authentication message; login therefore represents request to verify Token Manager credentials); 
generating, according to the verification request, third authentication information and feeding the third authentication information back to the second application (paragraph 169-170, Relying Party Server generates session token (third authentication information) and random number, and signs with Relying Party Server’s private key; Server generates encrypted authentication message by encrypting signed random number and session token, embeds in browser cookie, and sends to browser); 
receiving the to-be-authenticated information, a to-be-authenticated identity identifier of the to-be-authenticated information, and the third authentication information from the second application (paragraph 174, Fig. 7, Token Manager decrypts authentication message and validates signed random number and session token; paragraph 177-178, Token Manager generates credential comprising session public encryption key SPubK, the session token, and the distinguished name of the User-RP Public Certificate (to-be-authenticated identity identifier); paragraph 184, Token Manager signs session certificate with User-Relying Party private key URPPrivK; paragraph 188, Network Client receives credential and uses browser to transmit credential to Relying Party Server); and 
authenticating the third authentication information, the to-be-authenticated identity identifier, and the to-be-authenticated information, respectively (paragraph 188, Relying Party server validates credential using User-RP Public Certificate URPPubC, thereby verifying User-RP Public Certificate URPPubC as named, and validates session token), to generate an authentication result and feeding the authentication result back to the second application (paragraph 192, if validation is successful, the browser 400 and the Relying Party Server 140 establish a mutually-authenticated encrypted TLS session; if the credential comprised the Session Certificate SCert, preferably the Relying Party Server 140 transmits the authentication payload to the browser 400, thereby allowing the browser 400 and the Relying Party Server 140 to establish the mutually authenticated TLS session using the Session Certificate SCert and the Relying Party Server's Public Certificate WSRPPubC).
The rational to combine Buer and Ronda is the same as provided for claim 14 due to the overlapping subject matter between claims 14 and 18.

Regarding Claim 19:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 18.  In addition, Ronda teaches wherein the step of authenticating the third authentication information comprises: 
with regard to the third authentication information, using a third decryption key of the authentication server to decrypt the third authentication information, and authenticating the decrypted certificate (paragraph 188, Relying Party server validates credential using User-RP Public Certificate URPPubC, thereby verifying User-RP Public Certificate URPPubC as named, and validates session token); and
Buer teaches wherein the step of authenticating the identity identifier and the to-be-authenticated information, respectively comprises:
with regard to the to-be-authenticated identity identifier, determining, according to the identity identifier of registered standard information, whether the to-be-authenticated identity identifier matches the identity identifier of registered standard information (paragraph 58, if both validation and decryption are successful, remote biometric authentication processor compares user ID of message with user ID in database to determine if associated template is available); and
comparing the to-be-authenticated information with the registered standard information for authentication (paragraph 58, remote biometric authentication processor compares received template to template associated with user ID in message/database; remote biometric authentication processor authenticates user by comparing received template with stored template).
The rational to combine Buer and Ronda is the same as provided for claim 14 due to the overlapping subject matter between claims 14 and 19.

Regarding Claim 20:
Buer in view of Ronda, Brockhaus, and Sudia teaches the method according to claim 19.  In addition, Buer teaches wherein the step of generating an authentication result and feeding the authentication result back to the second application comprises: 
with regard to the third authentication information, if the authentication is approved, authenticating the to-be-authenticated information and to-be-authenticated identity identifier (paragraph 57, remote biometric authentication processor 150 validates the signature included in the message using the stored public key of the sensor platform (provided in the digital certificate); remote biometric authentication processor 150 decrypts the message using the symmetric key generated for communication with sensor platform 110; if both the validation of the signature and the decryption are successful, remote biometric authentication processor 150 can assume that the message originated from the legitimate sensor platform 110); otherwise, returning a notice of authentication failure (paragraph 59, remote biometric authentication processor 150 sends a message to sensor platform 110 indicating whether authentication was successful); 
with regard to the identity identifier, if the authentication is approved, authenticating the to- be-authenticated information (paragraph 58, if both validation and decryption are successful, remote biometric authentication processor compares user ID of message with user ID in database to determine if associated template is available); if the authentication fails, returning a notice of authentication failure (paragraph 59, remote biometric authentication processor 150 sends a message to sensor platform 110 indicating whether authentication was successful); and 
with regard to the to-be-authenticated information, if the authentication is approved, returning a notice of success (paragraph 58, remote biometric authentication processor compares received template to template associated with user ID in message/database; remote biometric authentication processor authenticates user by comparing received template with stored template; paragraph 59, remote biometric authentication processor 150 sends a message to sensor platform 110 indicating whether authentication was successful); if the authentication fails, returning a notice of authentication failure (paragraph 59, remote biometric authentication processor 150 sends a message to sensor platform 110 indicating whether authentication was successful).

Response to Arguments
Applicant's arguments filed 7/21/2020 have been fully considered but they are not persuasive.

Regarding the rejection of claims under 35 USC 103:
Applicant’s arguments consist of the mere assertion that the prior art references fail to teach the claimed subject matter as added by amendment, i.e. “wherein the second authentication information indicates the identity of the first application and the identity of the terminal”.  Applicant notes that Examiner has agreed that the subject matter overcomes the prior art of record as per Examiner Interview dated 7/20/2020.  However, upon further consideration of the subject limitation in view of Applicant’s specification, Examiner wishes to note the following:
Applicant recites certain paragraphs from the instant specification as reciting the subject matter from which the claimed limitation is drawn, e.g. paragraph 88.  Review of paragraph 88 provides the following: 
[0088] After the authentication is approved, the security information application acquires biological information input by the user as the standard information, and uses DA (Device Authenticator) key information to sign the standard information, wherein the DA key information is used to indicate the identity of the terminal (in one example, the DA key information can indicate the identity of the security information application, while the security information application is placed by the equipment manufacturer in the terminal. Therefore, the DA key information also indicates the identity of the terminal).

This is followed by paragraph 97:
[0097] In some embodiments, the IFAA authentication server first authenticates the terminal certificate. For example, the IFAA authentication server may use the IFAA key information to decrypt the received information, and authenticate the validity of the terminal certificate. After the authentication is approved, the IFAA authentication server uses the DA key information to decrypt and authenticate the identity key information. If both are approved, it can be 

From reading the above, it would appear that the way in which the DA key “indicates” the identity of the first application/terminal is by being decryptable by the receiving device using corresponding key material, and that use of said key “indicates” both the identity of the first application and the terminal, by virtue of the first application residing upon said terminal.  This would appear to correspond to the system of Buer, which signs the response with the sensor platform private key, which is decrypted by the sensor platform public key (paragraph 29, 33, 48).  As the sensor platform public/private key pair is bound to the identity of the sensor platform, by signing the message with the sensor platform private key, the private key can be said to “indicate” the identity of the sensor platform.
Therefore, as Examiner has argued that the sensor platform corresponds to the first application, the only element which is missing from the combination of Buer, Ronda, and Brockhaus is the element of the second authentication information indicating the identity of the terminal.  However, a new ground(s) for rejection is provided above which does teach this additional subject matter, as added by amendment.

	Applicant’s arguments with regard to independent claims 7 and 14 are similar to those regarding claim 1 and are therefore responded to in a similar way.
	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814.  The examiner can normally be reached on 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact 






/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                         

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491