DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
The terminal disclaimer filed on 03/12/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US 10,469,465 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

 EXAMINER’S AMENDMENT
3.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Armon Shahdadi (Reg. No: 70,728).

CLAIMS
4.	The application has been amended as follows: 
1-20. 	(Cancelled).

receiving identification of a network destination where a computing device is attempting to transmit sensitive data, the sensitive data being identified prior to transmission based on comparing the network destination to a list of network destinations;
obtaining a spoofed security certificate that impersonates the network destination;
sending a first public key of the spoofed security certificate to the computing device for encrypting the sensitive data;
operating as a first certificate authority for the spoofed security certificate;
receiving the encrypted sensitive data;
decrypting the sensitive data using a private key of the spoofed security certificate;
conditionally blocking transmission of the sensitive data based on a status of a secure channel;
negotiating the secure channel with the network destination, wherein negotiating the secure channel comprises obtaining a second public key from a second certificate authority associated with the network destination; 
encrypting the sensitive data according to the second public key; and
forwarding the encrypted sensitive data to the network destination based on the negotiating of the secure channel.

23.	(Previously Presented) The method of claim 21, further comprising verifying, as a condition for sending the first public key, the computing device is in compliance with a compliance rule specifying at least one of an encryption requirement and a firmware-version requirement.
24. 	(Cancelled).
25.	(Cancelled).
26.	(Currently Amended) The method of claim 21 [[24]], wherein negotiating the secure channel includes accessing the second public key as previously received from the network destination.
27.	(Previously Presented) The method of claim 21, further comprising:
determining the secure channel cannot be established; and
notifying the computing device the secure channel cannot be established,
wherein forwarding the sensitive data includes forwarding the sensitive data to the network destination based on receiving an authorization from the computing device to send the sensitive data insecurely.
28. 	(Currently Amended) A non-transitory, computer-readable medium containing instructions that, when executed by a hardware-based processor, performs stages for providing a cryptographic proxy service, the stages comprising:

obtaining a spoofed security certificate that impersonates the network destination;
sending a first public key of the spoofed security certificate to the computing device for encrypting the sensitive data;
operating as a first certificate authority for the spoofed security certificate;
receiving the encrypted sensitive data;
decrypting the sensitive data using a private key of the spoofed security certificate;
conditionally blocking transmission of the sensitive data based on a status of a secure channel;
negotiating the secure channel with the network destination, wherein negotiating the secure channel comprises obtaining a second public key from a second certificate authority associated with the network destination; 
encrypting the sensitive data according to the second public key; and
forwarding the encrypted sensitive data to the network destination based on the negotiating of the secure channel.
29.	(Previously Presented) The non-transitory, computer-readable medium of claim 28, wherein operating as the certificate authority includes installing a root certificate on the computing device that causes the computing device to accept the first public key.

31.	(Cancelled).
32.	(Cancelled).
33.	(Currently Amended) The non-transitory, computer-readable medium of claim 28 [[31]], wherein negotiating the secure channel includes accessing the second public key as previously received from the network destination.
34.	(Previously Presented) The non-transitory, computer-readable medium of claim 28, the stages further comprising:
determining the secure channel cannot be established; and
notifying the computing device the secure channel cannot be established,
wherein forwarding the sensitive data includes forwarding the sensitive data to the network destination based on receiving an authorization from the computing device to send the sensitive data insecurely.
35.	(Currently Amended) A cryptographic proxy system comprising:
a memory storage including a non-transitory, computer-readable medium comprising instructions; and
a computing device including a hardware-based processor that executes the instructions to carry out stages comprising:

obtaining a spoofed security certificate that impersonates the network destination;
sending a first public key of the spoofed security certificate to the computing device for encrypting the sensitive data;
operating as a first certificate authority for the spoofed security certificate;
receiving the encrypted sensitive data;
decrypting the sensitive data using a private key of the spoofed security certificate;
conditionally blocking transmission of the sensitive data based on a status of a secure channel;
negotiating the secure channel with the network destination, wherein negotiating the secure channel comprises obtaining a second public key from a second certificate authority associated with the network destination; 
encrypting the sensitive data according to the second public key; and
forwarding the encrypted sensitive data to the network destination based on the negotiating of the secure channel.

37.	(Previously Presented) The system of claim 35, the stages further comprising verifying, as a condition for sending the first public key, the computing device is in compliance with a compliance rule specifying at least one of an encryption requirement and a firmware-version requirement.
38.	(Cancelled).
39.	(Cancelled).
40.	(Currently Amended) The system of claim 35 [[38]], wherein negotiating the secure channel includes accessing the second public key as previously received from the network destination.

Examiner’s Statement of Reasons for Allowance
5.	Claims 21-23, 26-30, 33-37 and 40 are allowed. 
6.	The present invention is directed to: a method and system for providing a cryptographic proxy service. Upon determining that data associated with a network destination comprises at least some sensitive data, a cryptographic service may provide a security certificate associated with the network destination. The plurality of data may be encrypted according to the security certificate associated with the network destination and provided to the cryptographic service for reencryption and transmission to the network destination.

Cottrell et al is directed to: a method and system of receiving communications from a network device in a network to a source of network data and establishing a secure and/or authenticated network connection between the network device and the source that appears to the network device as a direct connection to the source of network data. The method and system may also include a parsing module that modifies the network data passing back and forth between the network device and the source of network data.
Brinskelle et al is directed to: methods, systems, and apparatus relating to enforcement of same origin policy of sensitive data are described. In an embodiment, a security agent may help ensure release of sensitive data is only triggered by authorized sources. The security agent may help ensure sensitive data is only released to authorized destinations. A security agent may translate or obfuscate sensitive data. Sensitive data may include HTTP cookies, session data, authentication information, authorization information, personal information, user credentials, and/or other data sensitive in nature. Sensitive data destinations and/or sensitive data origins may be identified. Identification may be performed using secure means (such as for example a SSL/TLS handshake). 
Rohloff et al is directed to: a system for securely transmitting information from a plurality of data sources to a plurality of data consumers, each of the data consumers 
Shah et al is directed to: a method and apparatus are provided for split-terminating a secure client-server communication connection, with client authentication. During handshaking between the client and the server, cooperating network intermediaries relay the handshaking messages, without altering the messages. At least one of the intermediaries possesses a private key of the server, and extracts a set of data fields from the handshaking messages, including a Client-Key-Exchange message that can be decrypted with the private key. The intermediary uses the extracted data to compute the client-server session key separate from the client's and the server's similar computation, and may transmit the key to the other intermediary via a secure communication channel. The client and the server thus establish the end-to-end client-server connection, and may authenticate each other, after which the network intermediaries may intercept and optimize the client-server communications transparently to the client and the server.

Therefore, the claims are allowable over the cited prior art. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774.  The examiner can normally be reached on M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAMES J WILCOX/           Examiner, Art Unit 2439            


/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439