DETAILED ACTION

1.	This action is responsive to the communications filed on 11/06/2020.
2.	Claims 39-58 are pending in this application.
3.	Claims 39, 57, 58, have been amended.
4.	Claims 1-38 have been previously cancelled.  

Notice of Pre-AIA  or AIA  Status

	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 11/06/2020 have been fully considered but they are not persuasive. In the remarks, applicant argued that:
a.	The claim requires that the data including “a first resource” is received “at the first device from a third device.” That is, for the mapping to work, the “first resource” must be communicated from the proxy to the user device. Not from the user device to the proxy as indicated by the office action and the art.
The claim also requires that the “first identifier” identifies “a second device.” That is, based on the first mapping table, the “request” must identify the “IT Resources.” However, as indicated by the office action and the art, the request includes information identifying the “User Device”, which is mapped to the claim element “first device” not the “second device” as required by the claim. (Applicant remarks, page 8).

In response: Based on the remarks and amendments to the claims, the examiner has adjusted the mappings of the claim elements. The claimed “first device” 
Baranowski disclosed that the API proxy (i.e., first device) verifies that the specific resource implicated by the type of access is in a list of authorized resources. The information technology resource is identified (i.e., first identifier) in the request (Column 11, Line 65 – Column 12, Line 5).

Applicant’s arguments with respect to the rest of the claims and their limitations have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
	Claims 39-51, 54-58 are rejected under 35 U.S.C. 103 as being unpatentable over Baranowski et al. (US 10,033,719) in view of Salmela et al. (US 2016/0294819).	
	Regarding claim 39, Baranowski disclosed:
	A method of establishing a communications path between a first device and a second device comprising:
receiving, at the first device (Column 4, Lines 46-47, proxy) from a third device (Column 4, Lines 31-32, user devices 100, 102, 104, 106), data, the data comprising: 
a first resource having a first identifier for a second device (Column 4, Line 56, IT resource) remote from the first device (Column 2, Lines 50-55, establishing communications with IT resources (i.e., second device). Column 11, Line 65 – Column 12, Line 5, the API proxy verifies that the specific resource implicated by the type of access is in a list of authorized resources. The information technology resource is identified (i.e., first identifier) in the request);
a second resource having a second identifier for the second device (Column 10, Lines 60-67, the proxy encodes the provided parameters into a uniform resource locator (i.e., second identifier)). 
Baranowski did not explicitly disclose generating, at the first device, first connection data based on the second identifier; addressing the second device with the first identifier to transmit from the first device to the second device, the first connection data; receiving, at the first device from the second device, in response to the first connection data, second connection data; validating, at the first device, the second connection data;  establishing the communications path between the first device and second device responsive to a valid second connection data.
However, in an analogous art, Salmela disclosed generating, at the first device, first connection data based on the second identifier (Paragraph 37, the UE (i.e., first device) starts a bootstrapping procedure with the bootstrapping server (BSF). The UE is then authenticated to a BSF and obtains a master key and a bootstrapping transaction identifier (B-TID) (i.e., first connection data). Paragraph 38, the master key is shared (i.e., based on) between the UE and the BSF and an application specific key (i.e., second identifier) is derived by the UE); 
addressing the second device with the first identifier to transmit from the first device to the second device, the first connection data (Paragraph 37, communicating to the NAF (i.e., second device) the B-TID (i.e., first connection data) from the UE. Paragraph 38, communicating with the NAF based on the NAF_ID (i.e., first identifier));
receiving, at the first device from the second device, in response to the first connection data, second connection data (Paragraph 39, UE supplies the B-TID to the NAF along with an application request. After receipt of the application request, the NAF determines the NAF-ID and sends the B-TID and NAF-ID to the BSF.  Paragraphs 40-41, the BSF sends an authentication answer including the Ks_NAF (i.e., second connection data) back to the NAF and is shared with the UE (as shown in Figure 2)); 
validating, at the first device, the second connection data (Paragraph 57, Figure 4, when the UE receives the B-TID and service provider information from the BSF (through the NAF), it will use the FQDN and connect to the NAF by generating the Ks_NAF (i.e., second connection data) to establish a secure connection. Step 15 in Figure 4 showing that the Ks_NAF authentication is verified (i.e., validated)); 
establishing the communications path between the first device and second device responsive to a valid second connection data (Paragraph 57, establishing a secure connection using the Ks_NAF and B-TID).
	One of ordinary skill in the art would have been motivated to combine the teachings of Baranowski with Salmela because the references involve authenticating across networks, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the first connection data being based on the second identifier, the first and second connection data, validating the connection data, and establishing the communications path of Salmela with the (Salmela, Paragraph 42).
	Regarding claims 57, 58, the claims are substantially similar to claim 39. Claim 57 recites a non-transitory data carrier (Baranowski, Column 13, Lines 1-10, non-transitory mediums). Claim 58 recites a storage configured to store (Baranowski, Column 13, Lines 33-40, stored in memory or storage). Therefore, the claims are rejected under the same rationale. 
	Regarding claim 40, the limitations of claim 39 have been addressed. Baranowski and Salmela disclosed:
	wherein the first connection data comprises a Server Name Indication based on the second identifier (Salmela, Paragraphs 38-39, using the Ks_NAF and B-TID to determine the NAF_ID (i.e., server name indication)).
	For motivation, please refer to claim 39.
	Regarding claim 41, the limitations of claims 39 has been addressed. Baranowski and Salmela disclosed:
	wherein the data further comprises a third resource having a third identifier for the second device (Baranowski, Column 5, Lines 49-58, digital certificates are used to identify a device. The digital certificate is created with identifying information pertaining to the device. The certificate also contains information identifying multiple devices (i.e., third identifier).
	Regarding claim 42, the limitations of claim 41 have been addressed. Baranowski and Salmela disclosed:
(Baranowski, Column 12, Lines 42-51, traffic associated with the client request is associated with a virtual internet protocol address (i.e., indirect) while transiting the secure network. The forwarded request appears to have originated from a virtual IP address and likewise any data comprising the requests results are addressed to the virtual IP address. The proxy intercepts traffic that is addressed to the virtual IP address, forwarding it to the device over the unsecure network using the device’s true address).
	Regarding claim 43, the limitations of claim 41 have been addressed. Baranowski and Salmela disclosed:
	wherein the third resource comprises a certificate that includes the third identifier (Baranowski, Column 5, Lines 49-58, the digital certificate is created with identifying information pertaining to the device).
	Regarding claim 44, the limitations of claim 41 have been addressed. Baranowski and Salmela disclosed:
	wherein the data further comprises a fourth resource having a fourth identifier for identifying a relationship between the first device and the second device (Baranowski, Column 5, Lines 49-58, digital certificates are used to identify a device. The certificate also contains information identifying multiple devices (i.e., fourth identifier). Column 6, Lines 47-51, a record of the association between two or more of the user, device, and certificate is stored in a database).
Regarding claim 45, the limitations of claim 44 have been addressed. Baranowski and Salmela disclosed:
(Baranowski, Column 6, Lines 52-63, sending the request with the certificate to the proxy).
	Regarding claim 46, the limitations of claim 44 have been addressed. Baranowski and Salmela disclosed:
	wherein the second connection data comprises a fifth identifier for the second device (Salmela, Paragraph 57, Figure 4, when the UE receives the B-TID and service provider information from the BSF (through the NAF), it will use the FQDN (i.e., fifth identifier) and connect to the NAF by generating the Ks_NAF (i.e., second connection data) to establish a secure connection. Step 15 in Figure 4 showing that the Ks_NAF authentication is verified (i.e., validated)).
	For motivation, please refer to claim 39.
	Regarding claim 47, the limitations of claim 46 have been addressed. Baranowski and Salmela disclosed:
	wherein validating the second connection data comprises verifying that the second identifier corresponds to the fifth identifier (Salmela, Step 15 in Figure 4 showing that the Ks_NAF authentication is verified (i.e., validated)).
	For motivation, please refer to claim 39.
	Regarding claim 48, the limitations of claim 46 have been addressed. Baranowski and Salmela disclosed:
	wherein the second connection data comprises a certificate that includes the fifth identifier therein (Salmela, Paragraph 61, using the public key certificate of the bootstrapping server).

	Regarding claim 49, the limitations of claim 39 have been addressed. Baranowski and Salmela disclosed:
	wherein the second connection data further comprises a cryptographic signature of the second device (Salmela, Paragraph 74, cryptographically generated address and proof of identity such as a signature).
	For motivation, please refer to claim 39.
	Regarding claim 50, the limitations of claim 49 have been addressed. Baranowski and Salmela disclosed:
	wherein the data further comprises a third resource having a third identifier for the second device and wherein validating the second connection data comprises verifying the cryptographic signature using the third resource (Baranowski, Column 7, Lines 6-13, the proxy performs various operations to validate the request such as digital signatures. Salmela, Paragraph 74, cryptographically generated address and proof of identity such as a signature).
	For motivation, please refer to claim 39.
	Regarding claim 51, the limitations of claim 39 have been addressed. Baranowski and Salmela disclosed:
	wherein transmitting, from the first device to the second device, the first connection data initiates a handshake sequence between the first device and the second device (Salmela, Figure 2, showing the handshake process between the UE and NAF by verifying the Ks_NAF ID).
	For motivation, please refer to claim 39. 
	Regarding claim 54, the limitations of claim 39 have been addressed. Baranowski and Salmela disclosed:
	further comprising performing a security action at the first device responsive to invalidate the second connection data (Baranowski, Column 9, Lines 44-56, if the certificate is invalid or not authorized, a response is returned).
	Regarding claim 55, the limitations of claim 39 have been addressed. Baranowski and Salmela disclosed:
	wherein receiving, at the first device, the data comprises one of: receiving, at the first device from a bootstrap server, the data; and receiving, at the first device in an out-of-band process, the data (Salmela, Paragraph 37, the UE starts a bootstrapping procedure with the bootstrapping server (BSF). The UE is then authenticated to a BSF and obtains a master key and a bootstrapping transaction identifier (B-TID)).
	For motivation, please refer to claim 39.
	Regarding claim 56, the limitations of claim 39 have been addressed. Baranowski and Salmela disclosed:
	wherein the first identifier comprises a direct identifier (Baranowski, Column 6, Line 63 – Column 7, Line 5, a request for initiating a login process is sent from a device to a proxy. The request includes a previously installed digital certificate and includes information identifying the sending device).

	Claims 52-53 are rejected under 35 U.S.C. 103 as being unpatentable over Baranowski et al. (US 10,033,719) in view of Salmela et al. (US 2016/0294819) and Seed et al. (US 2015/0033312).
	Regarding claim 52, the limitations of claim 51 have been addressed. Baranowski and Salmela did not explicitly disclose:
	wherein the handshake sequence is a TLS/DTLS handshake sequence.
	However, in an analogous art, Seed disclosed wherein the handshake sequence is a TLS/DTLS handshake sequence (Paragraph 96, the M2M service layer is bound or layered on top of existing protocols such as TLS sessions or DTLS).
	One of ordinary skill in the art would have been motivated to combine the teachings of Baranowski and Salmela with Seed because the references involve authenticating across networks, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the TLS/DTLS handshake with the teachings of Baranowski and Salmela in order for more efficient access (Seed, Paragraph 77).
	Regarding claim 53, the limitations of claim 39 have been addressed. Baranowski, Salmela, and Seed disclosed:
	wherein the communications path is secured under TLS/DTLS (Seed, Paragraph 96, the M2M service layer is bound or layered on top of existing protocols such as TLS sessions or DTLS).
	For motivation, please refer to claim 52.

  Conclusion

Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.    
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Steven C Nguyen whose telephone number is (571)270-5663.  The examiner can normally be reached on M-F 7AM - 3PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/S.C.N/Examiner, Art Unit 2443                                                                                                                                                                                                        
/RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2443