Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received 3/15/2019. Claims 1-27 are pending.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 9/25/2019 and 2/26/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Objections
Claim 8 objected to because of the following informalities:   the claim recites “the second request includes an indication of one the at least one nodes hosting the requested service”. The examiner believes the right limitation would be: ““the second request includes an indication of  . Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1-11 recite two instances of “access control data” in lines 3 and 14 of claim 1; the subsequent recitations of “the access control data” in claim 1’s  (in limitation starting with “verifying ...”) and other claims dependent from claim 1 are indefinite because it is unclear to which instance they refer to. For examination purposes, the examination will consider the two instances to be the same and recommend to amend the second instance as “the access control data”. 
Claim 12 also recites the two instances of “access control data “ in lines 5 and 16, which cause the subsequent recitation of “the access control data” to be indefinite. For examination purposes, the examination will consider the two instances to be the same and recommend to amend the second instance as “the access control data”. 
Claims 13-21 recite “the access control data” in lines 12 and 17-18 of claim 13, which lack antecedent basis. The examiner recommends amending the first instance to “access control data”.
Claim 22 also recites the access control data” in lines 13 and 18-19, which lack antecedent basis. The examiner recommends amending the first instance to “access control data.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 12, 22-27 are rejected under 35 U.S.C. 101 because  the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter for the following reasons: 22, 23-26, 27
Claims 12 and 22 are directed to “a computer program product ...comprises computer code ...” ; the claims are software per se and are not statutory. The examiner recommend to amend the claims by for instance, including a physical medium storing the computer code.
Claims 23-26 are directed to a gateway device, however, the claims only recite functionalities performed by the device and lack hardware; The examiner recommends to include in the gateway device a piece of hardware such as memory, hardware processor ...
Claim 27 is directed to a client application i.e disembodied software and is not statutory. The examiner recommend to amend the claims by for instance, including a physical medium storing the computer code.

 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-23, 25 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over US 9294468 to Kilbourn, hereinafter Kilbourn, and further in view of US 20070133763 to D’Angelo et al., hereinafter D’Angelo. Kilbourn is cited in IDS dated 9/25/2019.
Regarding claim 1, Kilbourn discloses:
A method of controlling application-specific access to a secure network arranged within a communication environment, the method comprising: providing access control data that identifies an authorized client application being authorized to access at least one service provided by the secure network (col. 4: 64-67 and col. 5: 1-3: server provides a list of trusted application-level certificates, used to identify applications in mobile devices requesting access to services (col. 4:30-38)), receiving a first request at a secure gateway device from a requesting client application external to the secure network (col. 4:26-33, Fig. 2, 210: a gateway receives a request from a client, external to services provided by a remote platform (col. 6: 22-32, Fig. 4),   interpreted as secure because access to the network must be authenticated (col. 4:48-54), the gateway is also secure because in response to authenticate application a secure channel is established between the mobile and the gateway (Fig. 2, steps 230-250) ) , the first request being an access request to access to the secure network (Fig. 2, step 210, col. 4:30-38: receive request including a self-signed application-level certificate), checking, by the secure gateway device, whether the first request includes information trustworthily identifying the requesting client application (col. 4:48-60: verify the self-signed certificate is trusted) , wherein when the checking indicates that the first request includes information trustworthily identifying the requesting client application, verifying, by the secure gateway device, on a basis of access control data and the information trustworthily, whether the requesting client application is the authorized client application being authorized to access the at least one service provided by the secure network (col 4:58-67: in response to authenticating the self-signed certificate is from a trusted source, authenticate the self-signed certificate, based on a list of trusted application-level certificate (access control data) by comparing information in the certificate from the request with information from the list); granting, by the secure gateway device, access to the secure network in response to verifying that the requesting client application is the authorized client application (col. 5:1-19: in response to the authentication, setup secure channel and allow application access to the requested service); receiving, at the secure gateway device, a second request from the requesting client application to access a requested service provided by the secure network (repeat Fig. 2, step 210); verifying, by the secure gateway device, based on the access control data, whether the requesting client application is the client application authorized to access the requested service (Fig. 2, step 220, col. 4:57-67 and col. 5:1-6: determine application certificate is from a trusted source, and then authenticate the certificate based on a list of trusted application-level certificates); and granting, by the secure gateway device, access to the requested service in response to verifying that the requesting client application is the client application authorized to access the requested service (col. 5:1-19).  
The difference between the claimed invention and the prior art is the prior art does not explicitly teach the access control data further identifies at least one service provided by the secure network to which service the authorized client application is authorized to access. In an analogous art, D Angelo discloses an access gateway (Fig. 2) receiving requests from an application, a certificate identifier is extracted from the request and a profiling database searched for a match to the certificate identifier of the application ([0123], Fig. 8); the profiling database is also searched for services associated with the requesting application ([0124]). Therefore, D’Angelo teaches an access control data (the profiling database, Fig. 2, 228, Fig4) providing data that identified authorized client applications ([0086][0123]) and further identifies at least one service provided by the secure network to which service the authorized client application is authorized to access ([0124]). It would have been obvious to a skilled artisan before the instant application was effectively filed to implement the access control data as the profiling database in D’Angelo, that allows to identify authorized applications and the services they are authorized to access because it would help enforcing access control to services and would improve securing access to protected resources.

Regarding claim 2, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein the secure network comprises the secure gateway device providing access to the secure network for client applications external to the secure network (Kilbourn col. 

Regarding claim 3, Kilbourn in view of D’Angelo disclose the method of claim 1, further comprising at least one of the following:   denying, by the secure gateway device, access to the secure network, when the checking indicates that the first request does not include information trustworthily identifying the requesting client application; denying, by the secure gateway device, access to the secure network in response to verifying that the requesting client application is not the authorized client application; and denying, by the secure gateway device, access to the requested service in response to verifying that the requesting client application is not the client application authorized to access the requested service (implicit from Kilboune col. 4:64-67, col. 5:103: access to service would be denied if certificate identifier is not on the list of trusted certificates; also implicit in D’Angelo [0110],[0123][0124] Fig. 8, step 810, no branch) .  
  Regarding claim 4, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein the communication environment includes an access control server, which maintains the access control data, and wherein the access control data is provided from the access control server to the secure gateway device (Kilbourn col. 5, lines 1-3: obtain the trusted certificates from a server).  
 Regarding claim 5, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein an access control server is either integrated into the secure network (D’Angelo [0059], Fig. 2, 228: profiling database built on third-party database server platform, 
Regarding claim 6, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein the information trustworthily identifying the application is a Transport Layer Security certificate (SSL certificates in D’Angelo [0052]  and Kilbourn col. 3:1-4; a person skilled in the art would use TLS instead of SSL now deprecated in most browsers, without further testing).
Regarding claim 7, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein verifying that the requesting client application is the client application authorized to access the requested service comprises analyzing a public key included in the information trustworthily identifying the application (D’Angelo [0057]: extract public key from the certificate for verification in database); and further comprising at least one of: verifying that the requesting client application is the client application authorized to access the requested service comprises comparing information derived from the public key with the access control data; (D’Angelo [0070]: use verified public key to authenticate the request e.g. by comparing a decrypted messages hash value with a calculated message hash value; it would have been obvious before the application was filed to use the public key of the certificate to authenticate the application because it is a well-known technique and would not need any testing.) and analyzing the public key comprises hashing the public key and verifying that the requesting client application is the client application authorized to access the requested service is based on the hash value of the public key.  
Regarding claim 8, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein the at least one service provided by the secure network is hosted by at least one node in the secure network, and wherein the second request includes an indication of one the at least one nodes hosting the requested service (D’Angelo [0115]: the first or second request includes a URL of the requested service, which includes an IP or hostname as known in the art).  
Regarding claim 9, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein the second request includes an indication identifying a connection to the requested service (D’Angelo [0118] the format of the http request indicates connection to the web server, as known in the art).   
Regarding claim 10, Kilbourn in view of D’Angelo disclose the method of claim 1, wherein verifying that the requesting client application is the client application authorized to access the requested service comprises comparing the information trustworthily identifying the requesting client application with the access control data (Kilbourn col. 4:60-67, col. 5:1-3).  
Regarding claim 11, Kilbourn in view of D’Angelo disclose the method of claim 1, further comprising: establishing, prior to receiving the first request, a position of trust between the application installed on the client device and the secure network yielding trustworthy identity information of the application and wherein the access control data is obtained from the trustworthy identity information (Kilbourn col. 2:16-42: the list of trusted certificates maintained by the gateway establishes the position of trust between the applications in client devices and the network).  
Regarding claim 12, the claim recites substantially the same content as claim 1 and is rejected using the rationales for rejecting claim 1. 

Regarding claim 13, Kilbourn discloses 
A method of controlling application-specific access to a secure network arranged within a communication environment performed by a requesting client application external to the secure network, the method comprising (Fig. 4: method performed by a client device): transmitting a first request to a secure gateway device, the first request being an access request to access to the secure network and including information trustworthily identifying the requesting client application the secure network (Fig. 2, step 210, col. 4:30-38: receive request including a self-signed application-level certificate) comprising the secure gateway device to provide access to the secure network for client applications external to the secure network (col. 4:26-33, Fig. 2, 210: a client, external to services, sending a request to a gateway to access service provided by a remote platform (col. 6: 22-32, Fig. 4), interpreted as secure because access to the network must be authenticated (col. 4:48-54), the gateway is also secure because in response to authenticate application a secure channel is established between the mobile and the gateway (Fig. 2, steps 230-250); transmitting a second request to the secure gateway device, when access to the secure network is granted and in response to verifying, by the secure gateway device on the basis of the information trustworthily identifying the requesting client application and the control access data identifying the authorized client application being authorized to access at least one service provided by the secure network, that the requesting client application is the authorized client application (col 4:58-67: in response to authenticating the self-signed certificate is from a trusted source, authenticate the self-signed certificate, based on a list of trusted application-level certificate (access control data) by comparing information in the certificate from the request with information from the list; col. 5:1-19: in response to the authentication, setup secure channel and allow application access to the requested service); wherein the second request is a request to access a requested service provided by secure network (repeat Fig. 2, step 210); and accessing the requested service, when access to the requested service is granted and in response to verifying, by the secure gateway device based on the control access data, that the requesting client application is the client application authorized to access the requested service (Fig. 2, step 220, col. 4:57-67 and col. 5:1-6: determine application certificate is from a trusted source, and then authenticate the certificate based on a list of trusted application-level certificates) .  
The difference between the claimed invention and the prior art is the prior art does not explicitly teach the control access data further identifying at least one service provided by the secure network to which the authorized client application is authorized to access.
In an analogous art, D Angelo discloses an access gateway (Fig. 2) receiving requests from an application, a certificate identifier is extracted from the request and a profiling database searched for a match to the certificate identifier of the application ([0123], Fig. 8); the profiling database is also searched for services associated with the requesting application ([0124]). Therefore, D’Angelo teaches an access control data further identifying at least one service provided by the secure network to which the authorized client application is authorized to access ([0124]). It would have been obvious to a skilled artisan before the instant application was effectively filed to implement the access control data as the profiling database in D’Angelo, that allows to identify authorized applications and the services they are authorized to access because it would help enforcing access control to services and would improve securing access to protected resources.

Regarding claims 14-21, the claims recite substantially the same content as claims 4-11, respectively, and are rejected using the rationales for rejecting claims 4-11, respectively. 
Regarding claim 22, the claim recites substantially the same content as claim 13 and is rejected using the rationales for rejecting claim 13. 
Regarding claim 23, the claim recites substantially the same content as claim 1 and is rejected using the rationales for rejecting claim 1. 
Regarding claim 25, Kilbourn in view of D’Angelo discloses the secure gateway device of claim 23, being further adapted to: deny access to the secure network when checking indicates that the first request does not include information trustworthily identifying the requesting client application; deny access to the secure network in response to verifying that the requesting client application is not the authorized client application; and deny access to the requested service in response to verifying that the requesting client application is not the client application authorized to access the 
Regarding claim 27, the claim recites substantially the same content as claim 13 and is rejected using the rationales for rejecting claim 13. 

Claims 24 and 26 are rejected under 35 USC 103 as being unpatentable over Kilbourn and D’Angelo, in view of US 20060090196 to Van Bemmel et al., hereinafter Van Bemmel.
Regarding claim 24, Kilbourn in view of D’Angelo discloses the secure gateway device of claim 23, wherein the communication environment includes an access control server, which maintains the access control data, the secure gateway device being further adapted to: request the access control data from the access control server prior to the receiving of the first request from the client application (Kilbourn col. 5, lines 1-3: obtain the trusted certificates from a server); Kilbourn in view of D’Angelo does not explicitly teach, but van Bemmel, in an analogous art,  discloses a gateway configured to request the access control data from the access control server ([0022]: gateway obtains the latest version of security policies from remote server) upon the receiving of the first request from the client application (Fig. 3 step 302 gateway receives a request from a client in a loop, and [0023], periodically downloads the latest policies ); and request the access control data from the access control server in response to an update process to update the access control data ([0023]: the gateway is notified of the updates of policies on the remote server and downloads a copy of the latest security 
Regarding claim 26, the claim recites substantially the same content as claim 24 and is rejected using the rationales for rejecting claim 24. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Choi et al 20100175115 disclose registering applications certificate, receiving a request for service comprising a certificate, determining whether the application certificate is valid ...
Drews et al 20040128517 disclose a mobile device holding digital certificates that authorize to access resources, the mobile initiates a request, includes a hashed of certificate content, sent to server, which compares the hash with a generated hash in order to allow/deny the request.
Wilkins et al 20120204032 disclose a key server maintaining in a database identifiers mapped to digital certificates and other information from users account, the data record storing also utilization and policies for each publick key certificate.
Narayanan  20040091117  discloses an authentication server acting like a policy server, when boundary server is started up, it requests updated certificate  from the policy server.
Rogers et al 20140115654 a  policy server storing policies and providing to a gateway updated policies whenever a new policy is received at the policy server, or there is a change in the policy, or in response to a request from the gateway.
Thornton et al 20050071630 disclose a server checking whether certificates have expired, and commanding an appropriate server to generate new certificates, and obtaining the new certificates from the appropriate server.
Cha et al 9397978 discloses periodically polling for policies and downloading the policies from a server. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                             4/6/2021