Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s Request for Continued Examination filed 1/4/2021 has been entered.  Claim 1 was amended.  
Claims 1-11 are presented for examination.

Response to Arguments
Applicant's arguments filed 1/4/2021 have been fully considered but they are not persuasive. 
On page 6, Applicant argues that IETF RFC 5246 and Choyi (2017/0012778) do not teach claims 1, 6-8 and 10-11.  Examiner respectfully disagrees.
Choyi does what the claim says it should do:  transmits a JWT during communication for authentication.  Omitting separate functions or any additional teachings not necessary to steps in the claim that Choyi may perform does not alter the JWT transmission.  There is no disclosure in the specification of modifying the JWT to remove any information that might be used for authorization, thus a 112(a) has been written.  There are no distinguishable steps or processes describing the message format for the use of JWT in the claims or when reviewing the claims in light of the specification (e.g. Spec [0074] enum, describes an enumeration for authorization formats that includes two types of JWT, [0095] JWT is communicated to the server 2 by means of the TLS protocol.)  Merely adding the JWT to enum structure is no different than Choyi’s description of communication setup with support that includes JWT (Choyi, [0068] Supported protocols: EAP/IPSec/(D) TLS/JWT, [0201]  Also a slight variant embodiment is that the scope information suggests the use of JSON Web Signing (JWS)/JSON Web 
Examiner notes that Applicant's remarks (pages 6-7) concerning negative limitations are off point.  The passages cited by Applicant concern whether a negative limitation is per se indefinite under 35 U.S.C. § 112(b).  See MPEP 2173.05(i).  No § 112(b) issue has been raised here.  
On page 8, Applicant argues that Choyi does not teach the new limitation “wherein the authentication information does not include authorization information”.  Claim 1 is rejected under §103 with the primary art IETF RFC 5246 in view of Choyi.  IETF RFC 5246 is cited for teaching transmitting authentication information.  Choyi has been mapped as shown in the rejection below to indicate the use of JWT (JSON Web Token) with authentication during message transmission while setting up end to end security.  Applicant appears to be arguing against a 103 combination in which IETF RFC 5246 would be modified to include not only the JWT features of Choyi, but also the authorization features of Choyi.  However, such an argument is unpersuasive against the current basis of rejection, which does not include the authorization features of Choyi.
On page 9, Applicant argues that Choyi fails to provide teaching and motivation to use a JSON Web token as authentication information.  Choyi is applied as an improvement to the IETF RFC 5246.  JSON web tokens are known to provide authentication security.  IETF RFC 5246 (Transport Layer Security) is known, to provide communication security.  Thus the 103 combination meets the requirement of Prima Facie obviousness and shown by “C. Use of Known Technique To Improve Similar Devices (Methods, or Products) in the Same Way.”  See MPEP §2143.
Applicant argues that Choyi has not been explained as teaching a JSON Web Token (JWT) for authentication.  Choyi has been mapped as shown in the rejection above to indicate the use of JWT with authentication as part of Fig 2, End-to-End authentication (Choyi, [0068] Supported protocols:  TLS/JWT, [0201]  Also a slight variant embodiment is that the scope information suggests the use of JSON Web Signing (JWS)/JSON Web Token representation instead of a MAC. The parameters used may be similar to those used for MAC computation, the representation is based on JWT and agreed upon during Security provisioning process described above.)  
 On page 10, Applicant argues Choyi [0068] does not use a cryptographic security protocol (taught by IETF RFC 5246) that includes the JSON Web token.  Choyi teaches the use of JWT as part of Choyi’s FIG 2 is End-to-End Authentication (Choyi, [0042] FIG. 2 is a diagram that illustrates End-To-End (E2E) Security Phases. Performing an End-to-End Authentication process may entail the following steps:. [0068] Supported protocols: EAP/IPSec/(D) TLS/JWT,)  The Applicant’s subsequent arguments of client authentication do not apply to  the citations shown in the §103 rejection below.
Applicant argues Choyi without consideration of that the limitations are taught by IETF RFC5246.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Claim 1 is taught by IETF RFC 5246 in view of Choyi.


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:


Claim 1 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.   "Any negative limitation or exclusionary proviso must have basis in the original disclosure."  See MPEP § 2173.05(i).
Claim 1 recites “wherein the authentication information is a JavaScript Object Notation (JSON) Web Token and wherein the authentication information does not include authorization information.”  There is no disclosure in the specification of modifying the JWT to remove any information that might be usable for authorization.  Since JWT can be used for authorization1 the claim must have support in the specification to disclose how the intended use of JWT without authorization results in a structural difference in the claimed invention.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-8 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over IETF RFC 5246, August 2008., The Transport Layer Security (TLS) Protocol Version 1.2, hereinafter referred to as IETF RFC 5246, and in view of Choyi (2017/0012778).

Regarding claim 1, IETF RFC 5246 teaches
a method for initial setting up of a communication channel for exchanging data between a server device and a client device, comprising: 
transmitting the authentication information from the client device to the server device in a cryptographic security protocol; (IETF RFC 5246, (page 39), 7.4.1.2 When a client first connects to a server, it is required to send the ClientHello as its first message.; 
(page 53), 7.4.4 Certificate Request
   When this message will be sent:
       A non-anonymous server can optionally request a certificate from the client, if appropriate for the selected cipher suite
(page 55), 7.4.6.  Client Certificate
   When this message will be sent:
      This is the first message the client can send after receiving a ServerHelloDone message.  …
Client certificates are sent using the Certificate structure defined in Section 7.4.2. …
(page 56), Meaning of this message:
      This message conveys the client's certificate chain to the server; the server will use it when verifying the CertificateVerify message)
wherein the cryptographic security protocol is a Transport Layer Security (TLS) handshake protocol having an extension for transmitting (IETF RFC 5246, 
(page 33), 7.3.  Handshake Protocol Overview

IETF RFC 5246 teaches extensibility (IETF RFC 5246, (page 6), 2. Goals   3. Extensibility: TLS seeks to provide a framework into which new public key and bulk encryption methods can be incorporated as necessary)
authenticating the client device by the server device using the cryptographic security protocol including the authentication information, wherein authenticating the client device depends on the transmitted authentication information; and (IETF RFC 5246, (page 63),
7.4.9. Finished
   When this message will be sent:
      A Finished message is always sent immediately after a change cipher spec message to verify that the key exchange and authentication processes were successful.  It is essential that a change cipher spec message be received between the other handshake messages and the Finished message.
(page 34, paragraph 3) The client then immediately sends the Finished message under the new algorithms, keys, and secrets.  In response, the server will send its own ChangeCipherSpec message, transfer the pending to the current Cipher Spec, and send its Finished message under the new Cipher Spec.  At this point, the handshake is complete, and the client and server may begin to exchange application layer data.)
setting up the communication channel between the server device and the authenticated client device using the cryptographic security protocol including the transmitted authentication information; (IETF RFC 5246, (page 63),
7.4.9. Finished
   Meaning of this message:
it may begin to send and receive application data over the connection.)
IETF RFC 5246 teaches extensibility (IETF RFC 5246, (page 6), 2. Goals   3. Extensibility: TLS seeks to provide a framework into which new public key and bulk encryption methods can be incorporated as necessary) but does not teach authentication information is a JavaScript Object Notation (JSON) Web Token.
IETF RFC 5246 teaches the use of Certificates that have been signed (IETF RFC 5246, (page 79),   certificate
      As part of the X.509 protocol (a.k.a. ISO Authentication framework), certificates are assigned by a trusted Certificate Authority and provide a strong binding between a party's identity or some other attributes and its public key.)
(page 85)
D.2. Certificates and Authentication
   Implementations are responsible for verifying the integrity of certificates and should generally support certificate revocation messages.  Certificates should always be verified to ensure proper signing by a trusted Certificate Authority (CA).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention that a signed Certificate reads on an Issuer Device.  However in the interest of compact prosecution Choyi is cited to teach wherein the authentication information is a JSON Web Token 
However Choyi teaches  wherein the authentication information is a JSON Web Token (Choyi, [0042] FIG. 2 is a diagram that illustrates End-To-End (E2E) Security Phases. Performing an End-to-End  TLS/JWT, [0201]  Also a slight variant embodiment is that the scope information suggests the use of JSON Web Signing (JWS)/JSON Web Token representation instead of a MAC. The parameters used may be similar to those used for MAC computation, the representation is based on JWT and agreed upon during Security provisioning process described above.) and wherein the authentication information does not include authorization information (Choyi, [0086] The TTP that employs a KDF 206 may perform an authentication of the Entity N 208 after which and if the Entity N has been authorized, the Entity N is provisioned with the appropriate EntityA_EntityN specific end-to-end keys.  EN: the authentication is done first, after authentication if they are authorized and then they get the keys)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Choyi’s authentication information with the extensible IETF RFC 5246 because doing so improves authentication between different entities (Choyi, [0011] A variety of mechanisms to perform End-to-End authentication between entities having diverse capabilities (E.g. processing, memory, etc.) and with no prior security associations are used. Security provisioning and configuration process is done such that appropriate security credentials, functions, scope and parameters may be provisioned to an Entity.)

Regarding claim 6, IETF RFC 5246 and Choyi teach
the method as claimed in claim 1, which furthermore comprises: 
if the client device is not authenticated by the server device, blocking the set-up of the communication channel between the server device and the client device (IETF RFC 5246, (page 28), 7.2.2.  Error Alerts

(page 31) handshake_failure
      Reception of a handshake_failure alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available.  This is a fatal error.
…
   bad_certificate
      A certificate was corrupt, contained signatures that did not verify correctly, etc.)

Regarding claim 7, IETF RFC 5246 and Choyi teach
the method as claimed in claim 1, which furthermore comprises: 
transmitting client device-related information from the client device to the issuer device; and (Choyi, [0043] Step 1 of FIG. 2 shows a Service Enablement and Security Configuration Process. At this step an Entity A 202 establishes an association with a Service Enabling Function (SEF) 204. The association established may be in-band or out-of-band and may also involve a mutual authentication process before the association is established. As part of the association establishment process, the nature of the service requested or offered by Entity A 202 is identified by the SEF 204. Also, the security requirements and features required or requested by the Entity A 202 are also identified by the SEF 204.)
creating the authentication information taking account of the client device-related information in the issuer device (Choyi, [0044] Step 2 of FIG. 2 shows a Security Credential Provisioning Process. Based on the SP and the corresponding security requirements and features that have been identified, the Entity A 202 is provisioned with appropriate security credentials.)


the method as claimed in claim 1, wherein the authentication information comprises at least one item of handling information indicating indications for proper transmission and/or use of the authentication information, and wherein transmitting the authentication information and/or authenticating the client device are/is carried out taking account of the handling information. (IETF RFC 5246, (page 40, ¶ 3) The cipher suite list, passed from the client to the server in the ClientHello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first).  EN: cryptographic algorithm reads on handling information for proper transmission).

Regarding claim 10, IETF RFC 5246 and Choyi teach
the method as claimed in claim 1, furthermore comprising: requesting the authentication information for the client device by means of the server device by way of the cryptographic security protocol from the client device (IETF RFC 5246, (page 53), 7.4.4 Certificate Request
   When this message will be sent:
       A non-anonymous server can optionally request a certificate from the client, if appropriate for the selected cipher suite).

Regarding claim 11, IETF RFC 5246 and Choyi teach
the method as claimed in claim 1, wherein the authentication information furthermore contains a session information about the current connection between the client device and the server device (IETF RFC 5246, (pages 26-27), The Handshake Protocol is responsible for negotiating a session,
 which consists of the following items:
   session identifier


Claims 2-5 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over IETF RFC 5246, August 2008., The Transport Layer Security (TLS) Protocol Version 1.2, hereinafter referred to as IETF RFC 5246, and in view of Choyi (2017/0012778) in view of Eydelman (8,819,794).

Regarding claim 2, IETF RFC 5246 and Choyi teach
the method as claimed in claim 1, wherein the authentication information ... 
issuer device (Choyi,[0044] The security credentials that have been issued to Entity A 202 are used by it to perform authentication of entities that would like to establish a security association with it.) 
IETF-RFC 5246 does not teach is assigned an issuer device indicating an issuer of the authentication information.
However Eydelman teaches assigned an issuer device indicating an issuer of the authentication information (Eydelman, Col 2, lines 54-57, Service 101 is configured with a trusted issuer list 104 that identifies approved sources of authentication credentials or tokens. Similarly, service 102 has its own trusted issuer list 105. The trusted issuer lists may identify, for example, one or more authentication services 106, 107.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have applied Eydelman’s issuer devices to IETF RFC 5246 – Choyi’s issuer devices because doing so improves security in complex deployment topologies (Eydelman, Col 1, lines 18-30, Standard authentication protocols, such as the OAuth protocol, can be used by servers and services for successful authentication. However, such standard protocols do not sufficiently describe how to build trust among the servers and services for them to succeed. Additionally, the existing 
For example, the OAuth protocol often requires a single authentication server that all applications and services have to trust and rely on to successfully acquire credentials for authentication. However, many scenarios cannot use this single authentication server concept.)

Regarding claim 3, IETF RFC 5246, Choyi and Eydelman teach
the method as claimed in claim 1, which furthermore comprises: 
storing a permissibility list in the client device and/or in the server device, which permissibility list indicates which issuer device from a multiplicity of issuer devices can create authentication information that is permissible for authenticating the client device; (Eydelman, Col 2, lines 54-57, Service 101 is configured with a trusted issuer list 104 that identifies approved sources of authentication credentials or tokens. Similarly, service 102 has its own trusted issuer list 105)
checking, in the client device or in the server device, whether the issuer device assigned to the authentication information is permissible in accordance with the permissibility list; and 
28if the issuer device is permissible in accordance with the permissibility list, authenticating the client device by means of the server device on the basis of the authentication information (Eydelman, Col 2, lines 54-57, Service 101 is configured with a trusted issuer list 104 that identifies approved sources of authentication credentials or tokens. Similarly, service 102 has its own trusted issuer list 105. The trusted issuer lists may identify, for example, one or more authentication services 106, 107.)

Regarding claim 4, IETF RFC 5246, Choyi and Eydelman teach
the method as claimed in claim 1, wherein the authentication information is assigned destination information indicating destination server device information for which the authentication token is intended; and wherein the method furthermore comprises: 
checking by means of the client device whether the destination server device information corresponds to the server device that communicated the enquiry to the client device; and (Eydelman, Col 3, lines 52-54, In order to participate in the trusted issuer identification process, each server or service must be configured with the appropriate information. Col 2, lines 54-57, Service 101 is configured with a trusted issuer list 104 that identifies approved sources of authentication credentials or tokens. Similarly, service 102 has its own trusted issuer list 105. The trusted issuer lists may identify, for example, one or more authentication services 106, 107)
if the destination server device information corresponds to the server device, transmitting the authentication information from the client device to the server device (Eydelman, Col 3, lines 19-26, Service 101 has a list 104 of trusted or approved authentication services. Service 101 compares the received trusted list 105 to its own trusted list 104 and identifies any matches between the two lists. For example, if service 101 trusts authentication services 106 and 107, and service 102 trusts authentication service 107, then service 101 can use authentication service 107 to obtain the appropriate credentials.)

Regarding claim 5, IETF RFC 5246, Choyi and Eydelman teach
the method as claimed in claim 1, which furthermore comprises: 
selecting, in the client device, from a multiplicity of items of authentication information (Eydelman, Col 4, lines 3-5, Security Token Service (STS). One or more STS is also configured for each server or service.) an item of authentication information which is assigned an issuer device permissible in accordance with the permissibility list and/or which is assigned destination server device information corresponding to the server device, that asked for the authentication information; and 
Same reason to combine Eydelman with IETF RFC 5246 as in claim 2 applies.
transmitting the selected authentication information from the client device to the server device by means of the cryptographic security protocol (IETF RFC 5246 (page 40, ¶ 3), The cipher suite list, passed from the client to the server in the ClientHello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first).)

Regarding claim 9, IETF RFC 5246, Choyi and Eydelman teach
the method as claimed in claim 1, furthermore comprising: 
storing an issuer device list in the client device , which indicates the issuer devices from which the client device has valid authentication information and/or from which the client device can request authentication information (Eydelman, Col 3, lines 40-42, In step 203, the first service compares the list of trusted issuers from the second server to its own list of trusted issuers. Col 3, lines 25-32, The trusted issuer lists 104, 105 for services 101 and 102 may identify a hierarchy of preferred authentication sources. For example, trusted issuer list 104 may prioritize or rank the sources as (1) direct trust of other deployments of the same application, (2) authentication service 105, and (3) authentication service 106. In one embodiment, service 101 will compare its list 104 and received list 105 and will select the most-preferred issuer. Col 3, lines 51-56, In order to participate in the trusted issuer identification process, 
Application Issuer Identifier.)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315.  The examiner can normally be reached on 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BRUCE S ASHLEY/Examiner, Art Unit 2494                                                                                                                                                                                                        
/THEODORE C PARSONS/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Introduction to JSON Web Tokens, jwt.io, page 2, Wayback machine June 29, 2017