Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed on March 23, 2021 have been fully considered but they are not persuasive.  In the response, the applicant argues and submits that Sather and Parkinson, individually or in combination, fail to disclose or teach all the features of independent claim 1. The applicant particularly argues by stating that it is clear that the self-signed certificate of Sather is embedded with the UUID of the electronic device and not a password as in the present claims. The applicant continues to further argue that, trust, e.g. authentication, of the electronic device and client device of Sather, is based on the hash of the UUID of the electronic device and not "a password shared between the first device and the second device" as in the present claims.

The examiner respectfully disagrees with the applicant’s argument for at least the following reasons. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Particularly, the applicant does not make a clear distinction between the scope and boundary of claimed feature “Password” cited in the claim language and the corresponding disclosure of “PIN” from the prior art. 
0012-0013 and 0017: In accordance with the present disclosure, instead of sending a password in the clear as is used in Basic Authentication, a shared secret (i.e., a password) between the server (e.g., the network interface 216) and the client (e.g., the gateway 212) may be incorporated into the self-signed certificate using a hash function]. 
The examiner would like to bring the applicant’s attention to the following paragraphs of the prior art Sather where “PIN” is disclosed in adequate detail to teach the applicant’s claimed feature ““Password” in scope and boundary as recited in claim 1. [Sather: 0004. The PIN may be transported via e-mail, entered from a sticker on the device itself, or displayed on a monitor or other display associated with the device. For example, a projector may display the PIN on the projection or a printer or may display a PIN on a local multi-line display. The PIN can be subsequently used in establishing trust of the client by the electronic device. To establish trust of the electronic device by the client, the public key of electronic device may be operated on, for example, hashed, to give a value that is set equal to the universal unique identifier (UUID) of the electronic device. Since the UUID resolves to the device and the digital certificate supplied by the device is linked to the UUID, trust of the electronic device by the client can also be established. Supplemental techniques described below, such as including a portion of the UUID in the PIN may be useful for increasing confidence in the trusted relationship].
Furthermore, the applicant’s description is silent or doesn’t discuss what constitutes the claimed feature “Password”. However, the applicant’s argument is directed to only UUID which Sather: 0028. At block 308, a personal identification number (PIN) may be created. In the strictest sense this is not a PIN, since this is not related to a person. In most applications a PIN is a limit number set, usually 4 numbers. As used herein, the PIN could be any phrase, word, character set, or description. However, since the PIN in this application is used to identify a particular endpoint, such as a device, it will be used for convenience. In one embodiment, the PIN may be a concatenation of a number, such as a random number, with at least a portion of the UUID. The random number portion may be thought of as the secret part of the PIN, although it is displayed in the clear in some embodiments. The full UUID may be concatenated with the secret when using the UUID to resolve the address of the electronic device 302. Shortening the UUID portion may be done to make subsequent entry of the PIN easier, when done manually, but the UUID is no longer available for use as an address and other discovery processes may be necessary to find the electronic device 302]. 
The prior arts of record further discusses the PIN is delivered in out-of-bound channel. [Sather: 0029-0030. The PIN may then be made available to clients using an out-of-band channel at block 310….At block 312, the client 301 may receive the PIN electronically, for example, by email, or a user may enter the PIN value via a user interface when viewed on one of the locations mentioned above. At block 314, the PIN may then be parsed into two portions, the secret portion and the UUID portion].
The prior art also teaches hash of the PIN is embedded in the certificate unlike the applicant’s argument against the prior art Sather. [Sather: 0032. The client 301 may respond at block 324 with a certificate with the PIN embedded in the certificate, for example, in the header field. The electronic device 302 may analyze the certificate at block 326 to determine if the PIN received in the certificate matches the PIN of the electronic device 302. If they match, the electronic device 302 has an assurance that the client 301 has received the PIN and trust may be extended by placing the client certificate in a trusted store. [0039] The electronic device 402, at block 414 may respond to the probe. The response, to use a Web Services embodiment as an example, may include an XML security header with the signature value set to the hash of the PIN. Since the hash of the secret is being sent, and the PIN may subsequently be involved in establishing trust, the PIN is susceptible to a dictionary attack by an entity that does not actually hold the PIN. [0044] With the electronic device 402 trusted by the client 401, it remains for the electronic device 402 to establish trust with the client 401. At block 424 the electronic device 402 may send a message to the client 401 requesting a certificate or other identifier. The client 401 may respond at block 426 with a certificate with the PIN embedded in the certificate, for example, in the header field. The electronic device 402 may analyze the certificate at block 428 to determine if the PIN received in the certificate matches the PIN of the electronic device 402 (refer to block 408). If the two match, the electronic device 402 has an assurance that the client 401 has received the PIN and trust may be extended by placing the client certificate in a trusted store].
In view of the above description, the prior art of record Sather discloses the features of claim 1 and therefore the applicant’s argument failed to overcome the prior arts in record and place claim 1 in condition for allowance. Independent claims 13 and 18 recite features similar to features discussed in independent claim 1 and therefore for the same reason, the applicant’s argument failed to overcome the prior arts in record and place claims 13 and 18 in condition for allowance.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation "the password previously provisioned" in line 10.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 7 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
Claim 7, depending from claim 6, recites “wherein the authentication request is transmitted using an HTTP-based protocol”, however claim 6 lacks recitation of “the authentication request” to be further limited in claim 7 or claim 7 needs to further limit the features of claim 6 recited as “TR-069” which in itself is depending from claim5 “the HTTP-device management protocol”.

Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claims 1, 4, 8-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sather et al. (US. Pub. No.: 20080005562) in view of Parkinson US. Pub. No.: 20080301438.

As per claim 1:
Sather discloses a method of authenticating a first device to a second device, comprising:
Transmitting, by the second device, an authentication request to the first device, the authentication request requesting the first device to authenticate itself to the second device (0003: a client requesting /as a second device/ an identification of participating electronic device/as first device/);
receiving, by the second device, a self-signed digital certificate from the first device, the self-signed digital certificate including hash of a password and hashing by the second device the password provision in the second device (0028: the PIN could be any phrase, word, character set, or description. However, since the PIN in this application is used to identify a particular endpoint or PIN is random number concatenated with UUID; The electronic device participates in the secure channel creation and may then reply with the self-signed certificate having PIN  (random number concatenated with UUID) embedded in the certificate, for example, in the subject field; 0031: when the client receives the certificate, it determine if it is a trusted certificate or a self-signed certificate, root authority checked, and if valid, the certificate accepted and the electronic device  given a trusted status. If the certificate is self-signed, the client 301 may extract the public key from the certificate and perform the agreed-to hash function. If the hash of the public key matches the UUID in the certificate, and if the electronic device 302 was 
comparing, by the second device, the hash of the password provisioned in the second device, with the hash of the password included in the self-signed digital certificate (0042: the probe response, including the hash, and optionally, the salt, and the iteration count sent to the client and the client use the PIN received to calculate its own hash value.  If the locally calculated hash matches that received, the client assume with confidence that the electronic device has the PIN); and
authenticating the first device if the second device confirms that the hash of the password provisioned in the second device matches the hash of the password included in the self-signed digital certificate (0042: When the values match, in combination with verifying that the electronic device has the PIN a, then the client may grant trusted status to the electronic device; 0043: verify authenticity).

Sather does not explicitly disclose the password has been previously provisioned and the password shared between the first device and the second device.  Parkinson, in analogous art however, discloses the password has been previously provisioned and the password shared between the first device and the second device (0031: the key  pre-agreed secret key (which is considered as a shared password—needs to be pre-agreed for it to be shared and between first and second device and included as hash in the self –signed digital certificate)) transmitted out-of-band to the recipient and the key also be generated by a password based encryption (PBE) algorithm such as PKCS#5, or derived from a password sent to the recipient out-of-band; a user 

As per claim 13:
Claim 13 is directed to a computer-readable medium having computer executable instructions for implementing a method having substantially similar claimed limitation features as recited in corresponding claim 1 and therefore, claim 13 is rejected with the same rationale given above in claim 1.

Claim 18: 
Claim 13 is directed to a method for authenticating a server, having substantially similar claimed limitation features as recited in corresponding claim 1 and therefore, claim 18 is rejected with the same rationale given above in claim 1. Further, the first device and the second device in claim 1, can take a client role and a server role interchangeably as discloses by Sather [Client: 301 

As per claim 4:
Sather discloses wherein the password is provisioned to the second device using an out-of-band process (0029: the PIN may then be made available to clients using an out-of-band channel).

As per claim 15:
Sather discloses receiving the password at the second device over an out-of-band channel (0029: the PIN may then be made available to clients using an out-of-band channel).

As per claims 8, 16 and 19:
Sather discloses wherein the hash of the password is embedded in a data field of a pre-defined attribute included in the self-signed digital certificate (0030: PPIN/UUID embedded in the certificate in the subject field; 0032: a certificate with the PIN embedded in the certificate in the header field; 0044:  a certificate with the PIN embedded in the certificate in the header field).

As per claims 9, 17 and 20:


As per claim 10:
Sather discloses the distinguished name attribute includes a common name filed and the hash of the password is embedded in the common name filed (0027: 0036: common standard defining the format and fields for digital certificates is the X.509 standard; embedding in or use of common name filed in X.509 standard is well understood to one of ordinary skill in the art; The common name is technically represented by the commonName field in the X. 509 certificate specification; Common name applications of X. 509 certificates include SSL/TLS and HTTPS for authenticated and encrypted web browsing, signed and encrypted email via the S/MIME protocol, code signing, document signing, client authentication, and government-issued electronic ID).

As per claim 11:
Sather disclose wherein the hash is SHA-256 ( 0026: 0035 using hash, any of many known hash algorithms, such as SHA-1 or MD5 or a more complex algorithm, stronger version algorithm as such SHA-256 known commonly).

As per claim 12:
Parkinson disclose wherein the second device is a client and the first device is a server (0036: The machine may operate in the capacity of a server or a client machine in client-.

Claims 2-3, 5-7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sather et al. (Hereinafter referred to as Sather, US. Pub. No.: 20080005562) in view of Parkinson US. Pub. No.: 20080301438 in further view of Gerodolle et al. (Hereinafter referred to as Gerodolle, US. Pub. No.: 20190116081).

As per claims 2 and 14:
Sather and Parkinson do not explicitly disclose wherein the first and second devices are customer premises equipment (CPE) units.  Gerodolle, in analogous art however, discloses a password that has been previously provisioned in the first device (0012: authentication by CPE, provides identifier and a password; 0074). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the method disclosed by Sather and Parkinson to include wherein the first and second devices are customer premises equipment (CPE) units. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide an access gateway (e.g. a residential gateway) for configuring security (self-authentication) in device suitable for controlling access to the network as suggested by Gerodolle (0066).

As per claim 3:


As per claim 5:
Gerodolle discloses wherein the out-of-band process in claim 4 is an HTTP-device management protocol (0097: 0099: Password PWD exchanged through URL using http management device).

As per claim 6:
Gerodolle discloses wherein the HTTP-device management protocol is TR-069 (0101: TR-069 CPE WAN management device using CWMP protocol; 0111).

As per claim 7
Gerodolle discloses wherein the authentication request is transmitted using an HTTP-based protocol (0076: management device; 0097: management device using URL or HTTP protocol).

BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as it would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given to them the following reasonable BRI considerations in view of the applicant’s disclosure in order to construe boundary and scope of the claimed limitations. For example, for the following claim words or terms or phrases or languages BRI considerations, the examiner recites notes from the applicant’s disclosure as follows:

[Self-signed certificate: 0003] In a self-signed certificate, the digital signature field in the certificate is encrypted using the certificate holder's private key for the certificate.
a self-signed certificate may be sufficient to ensure the client that that the device is indeed the device with which it is attempting to communicate. That is, when both parties to the communication know each other, a self-signed certificate can be used as a credential to identify a particular entity to itself. In this case there is no need for a third party to act as a root trust. All that is required is that the key pair match—more precisely, that the public key can be used to verify that the certificate was signed with its private key. This case is quite different from other cases in which trust is to be established between unknown parties.
[CPE: 0013] In this example the two devices involved are customer premises equipment (CPE) units. CPEs illustratively include, without limitation, devices such as routers, network switches, residential gateways, set-top boxes, home networking adapters and Internet access 
[Password: 0012] Basic Authentication transmits usernames and passwords in the clear and thus is not secure. While Digest Authentication never sends the password across the network in the clear, it is not always available or convenient to use. [Password: 0013] The techniques described herein allow Basic Authentication to be used when a server or other device needs to be authenticated without transmitting the password in the clear. [Password: 0017] In accordance with the present disclosure, instead of sending a password in the clear as is used in Basic Authentication, a shared secret (i.e., a password) between the server (e.g., the network interface 216) and the client (e.g., the gateway 212) may be incorporated into the self-signed certificate using a hash function. 
[Computer-readable storage medium: 0026] The term “computer-readable storage medium” includes, but is not limited to, portable or fixed storage devices, optical storage devices, a SIM card, other smart cards, and various other mediums capable of storing, containing, or carrying instructions or data. However, computer readable storage media do not include transitory forms of storage such as propagating signals, for example.

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 






/TECHANE GERGISO/Primary Examiner, Art Unit 2494