Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 6/28/2019.
Claims 1-20 have been examined.


Information Disclosure Statement
The information disclosure statements (IDS) submitted on 8/13/2019, 11/15/2019, 5/1/2020, and 12/15/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


s 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Draluk (US Patent Application Publication Number 20130160147), and further in view of Iga (US Patent Application Publication Number 2010/0229242).
Regarding claims 1 and 11, Draluk disclosed a certificate obtaining method, comprising: 
sending, by a network device, certificate application information to a certificate issuing device, wherein the certificate application information comprises an application (APP) (Draluk Paragraphs 0035-0036); and
receiving, by the network device, a certificate that is of the APP and that is from the certificate issuing device, wherein the certificate is generated according to the APP, and wherein the certificate provides permission authentication when the APP accesses an application programming interface (API) of a controller (Draluk Paragraphs 0035-0036).
Draluk did not explicitly teach that the digital certification comprises one or more of: information about operation permission of the APP on N application programming interfaces (APIs) of a controller, identifiers of L APIs that are of the N APIs and that the APP has permission to operate, or identifiers of R APIs that are of the N APIs and that the APP does not have permission to operate, wherein N is a natural number greater than or equal to 1, wherein L is a natural number greater than or equal to 1, and less than or equal to N, and wherein R is a natural number greater than or equal to 1 less than or equal to N.
Iga taught a system in which API permissions are determined, and where Iga taught that instead of using a table to store permitted functions associated with a certificate, the permissions can be indicated in the certificate itself (Iga Paragraph 0006, for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Iga in the API 

Regarding claims 6 and 16, Draluk disclosed an authentication method, comprising:
receiving, by an authentication device, an access request message of an application (APP), wherein the access request message comprises a digital certificate (Draluk Paragraphs 0021 and 0026 for example), wherein the digital certificate is used to verify operation permission of the APP (Draluk Paragraphs 0018 and 0035-0036); and
determining, by the authentication device, operation permission of the APP on the one or more APIs based on the digital certificate (Draluk Paragraphs 0021 and 0026 for example).
Draluk did not explicitly teach that the digital certification comprises one or more of: information about operation permission of the APP on N application programming interfaces (APIs) of a controller, identifiers of L APIs that are of the N APIs and that the APP has permission to operate, or identifiers of R APIs that are of the N APIs and that the APP does not have permission to operate, wherein N is a natural number greater than or equal to 1, wherein L is a natural number greater than or equal to 1, and less than or equal to N, and wherein R is a natural number greater than or equal to 1 less than or equal to N.
Iga taught a system in which API permissions are determined, and where Iga taught that instead of using a table to store permitted functions associated with a certificate, the permissions can be indicated in the certificate itself (Iga Paragraph 0006, for example).


Regarding claim 2, Draluk and Iga taught that the certificate comprises the information about operation permission of the APP on the N APIs of the controller, and wherein the information about operation permission comprises identifiers of the N APIs and operation permission of the APP on each of the N APIs (Draluk Paragraphs 0021 and 0026, and Iga Paragraphs 0072-0074 for example).

Regarding claims 3, Draluk and Iga taught that the information about operation permission comprises identifiers of M API identifier sets, wherein an identifier of each of the M API identifier sets identifies operation permission on K APIs in the API identifier set, wherein M is a natural number greater than or equal to 1, and wherein K is an integer greater than or equal to 0, and less than or equal to N (Draluk Paragraphs 0021 and 0026, and Iga Paragraphs 0072-0074 for example).

Regarding claims 4, Draluk and Iga taught that the certificate comprises the information about operation permission of the APP on the N APIs of the controller, and wherein the 

Regarding claim 5, while Draluk and Iga did not explicitly teach that that one or more of the information, the identifiers of L APIs, or the identifiers of R APIs are carried in extended information of the certificate, it was well known in the art that the extended information portion of a certificate can be used for storing data needing to be stored in the certificate, and as such it would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have done so in the system of Draluk and Iga.  This would have been obvious because the person having ordinary skill in the art would have been motivated to utilize a well-known means for storing information in a certificate to store the generically taught storing of the security permission information of Draluk and Iga.

Regarding claim 7, Draluk and Iga taught when the digital certificate comprises the information about operation permission of the APP on the N APIs of the controller, the information about operation permission comprises identifiers of the N APIs and operation permission of the APP on each of the N APIs (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).

Regarding claim 8, Draluk and Iga taught that the information about operation permission comprises identifiers of M API identifier sets, wherein an identifier of each of the M API identifier sets identifies operation permission on K APIs in the API identifier set, wherein M is a natural number greater than or equal to 1, and wherein K is an integer greater 

Regarding claim 9, Draluk and Iga taught that operation permission is represented using a bitmap when the digital certificate comprises the operation permission of the APP on the N APIs of the controller (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).


Regarding claim 10, while Draluk and Iga did not explicitly teach that one or more of the information, the identifiers of L APIs, or the identifiers of R APIs are carried in extended information of the certificate, it was well known in the art that the extended information portion of a certificate can be used for storing data needing to be stored in the certificate, and as such it would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have done so in the system of Draluk and Iga.  This would have been obvious because the person having ordinary skill in the art would have been motivated to utilize a well-known means for storing information in a certificate to store the generically taught storing of the security permission information of Draluk and Iga.


Regarding claim 12, Draluk and Iga taught that when the certificate comprises the information about operation permission of the APP on the N APIs of the controller, the information about operation permission comprises identifiers of the N APIs and operation 

Regarding claim 13, Draluk and Iga taught that the information about operation permission comprises identifiers of M API identifier sets, wherein an identifier of each of the M API identifier sets identifies operation permission on K APIs in the API identifier set, wherein M is a natural number greater than or equal to 1, and wherein K is a natural number greater than or equal to 1, and less than or equal to N (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).

Regarding claim 14, Draluk and Iga taught that operation permission is represented using a bitmap when the certificate comprises the operation permission of the APP on the N APIs of the controller (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).

Regarding claim 15, while Draluk and Iga did not explicitly teach that one or more of the information, the identifiers of L APIs, or the identifiers of R APIs are carried in extended information of the certificate, it was well known in the art that the extended information portion of a certificate can be used for storing data needing to be stored in the certificate, and as such it would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have done so in the system of Draluk and Iga.  This would have been obvious because the person having ordinary skill in the art would have been motivated to utilize 

Regarding claim 17, Draluk and Iga taught that when the digital certificate comprises the information about operation permission of the APP on the N APIs of the controller, the information about operation permission comprises identifiers of the N APIs and operation permission of the APP on each of the N APIs (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).

Regarding claim 18, Draluk and Iga taught that the information about operation permission comprises identifiers of M API identifier sets, wherein an identifier of each of the M API identifier sets identifies operation permission on K APIs in the API identifier set, wherein M is a natural number greater than or equal to 1, and wherein K is a natural number greater than or equal to 1, and less than or equal to N (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).

Regarding claim 19, Draluk and Iga taught that the operation permission is represented using a bitmap when the digital certificate comprises the operation permission of the APP on the N APIs of the controller (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).
Regarding claim 20, while Draluk and Iga did not explicitly teach that one or more of the information, the identifiers of L APIs, or the identifiers of R APIs are carried in extended information of the certificate, it was well known in the art that the extended information portion .


Conclusion
Claims 1-20 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2016/0014149 taught a system in which certificates are used to determine which APIs are allowed to be accessed by an app, but does not explicitly teach that the permitted APIs are listed in the certificate.
US 2014/0245397 taught a system in which certificates are used to determine which APIs are permitted to be accessed ,for an application to acquire permission for usage of a specific API or function in the "signature" protection level, a certificate of an application declaring the permission should coincide with a certificate of an application defining the corresponding permission.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790.  The examiner can normally be reached on Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MATTHEW T HENNING/            Primary Examiner, Art Unit 2491