DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: acquire, associate, output in claim 14 and 15 are similarly being interpreted to invoke 112(f). 
“configured to store data " in claims 1, 14and 20 
“configured to perform " in claim 1
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2 and 5-20 are rejected under 35 U.S.C. 103 as being unpatentable Seed et al. (US 20170318023) in view of Zhang (US 20180167397).

With respect to claims 1, 14 and 20, Seed teaches a computing system comprising:
persistent storage configured to store data on behalf of a managed network, wherein a remote computing system provides a plurality of computing resources on behalf of the managed network (Seed, see FIGS. 5, 6 and paragraphs [0029-0034] an M2M service layer can provide applications and devices access to a collection of M2M centric capabilities supported by the service layer. A few examples of capabilities include, presented without limitation, security, charging, data management, device management, discovery, provisioning, and connectivity management. A resource refers to a uniquely addressable entity in the architecture having a representation that can be manipulated via RESTful mechanisms such as, for example, Create, Retrieve, Update, and Delete.  FIG. 6, oneM2M supports resource discovery mechanisms that can be used by a registrant 118 to query and find resources or services hosted by a receiver CSE 22a. The registrant 118 may include, for example, a CSE 22a or an AE 20a. As shown in the example depicted in FIG. 6, oneM2M resource discovery uses a retrieve request that is originated by the registrant 118 (who was successfully authenticated and registered to a CSE at 600). Still referring to FIG. 6, in accordance with the illustrated example, at 602, the discovery request is sent to the receiver CSE 22a.  ); and
a discovery application configured to perform operations comprising:
obtaining, from the remote computing system, first attributes of a first computing resource of the plurality of computing resources, wherein the first attributes indicate a first unique resource identifier associated with an authentication system provided by the remote computing system and utilized by the first computing resource (Seed, see paragraphs [0034, 0040-0042] FIG. 6, illustrated, at 602, the discovery request is sent to the receiver CSE 22a. The discovery request includes an identity (ID) of the registrant 118, an address of the resource where the discovery operation is to begin (e.g., <CSEBase>), and discovery filter criteria (fc). The filter criteria describe the rules that the CSE 22a uses to perform the resource discovery. The rules may indicate one or more resource types, a creation time, and one or more labels that match. The first AE 20a is authenticated by and registered to oneM2M CSE 22a. Thus, the first AE 20a may also be referred to as a first registrant 118a.  FIG. 10 and paragraphs [0044-0045] further discloses at 1002, preliminary operations are performed so that a plurality of registrants 118 are registered to the CSE 22a. For example, a first registrant 118a of the plurality of registrants 118 may mutually authenticate with the CSE 22a, and the first registrant 118a may register to the CSE 22a. The first registrant 118a may create one or more resources or services which are hosted within the CSE 22a. Alternatively, or additionally, the first registrant 118a may create links to the one or more resources or services that are hosted external to the CSE 22a. The CSE 22a may manage the access control policies for such external resources or services. The first registrant 118a may configure access controls corresponding to the resources or services with a list of one or more access control policies that the CSE 22a can use to authorize access to the resources or services);
second AE 20b is authenticated by and registered to the CSE 22a to which the first AE 20a is registered. Thus, the second AE 20b may also be referred to as a second registrant 118b. In the example, the second AE 20b is interested in discovering and accessing sensors that happen to be the same type as those in the constrained network 212 that are supported by the first AE 20a. FIG. 10 and paragraphs [0044-0045, 0049] further discloses a second registrant 118b of the plurality of registrants 118 may mutually authenticate with the CSE 22a, and the second 118b may register to the CSE 22a.  FIG. 10, at 1004, after the second registrant 118b is authenticated and registered to the CSE 22a for example, the second registrant 118b can query the CSE 22a in a permission based manner. For example, the second registrant 118b may query the CSE 22a to discover resources or services that the second registrant 118b desires. Such a query may be referred to as a discovery request. The desired resources or services may be owned by the first registrant 118a. The second registrant 118a may desire to perform operations on the desired resources or services. Within the discovery request, the second registrant 118 can include various information that allows the CSE 22a to qualify a discovery response based on permissions);
determining that the first unique resource identifier matches the second unique resource identifier (Seed, see paragraphs [0034-0036] At 604, the CSE 22a uses the filter criteria when processing and searching for resources that match the discovery request. Accordingly, such resources may be referred to as matching resources. A match occurs when the service layer 22a finds a resource that matches or meets the filter criteria that are specified in the request that that was sent at 602, and when the registrant 118 has sufficient permissions to access the discovered resource. At 606, in accordance with illustrated example, one or more matching resources are discovered, and thus the receiver CSE 22a sends a successful response to the registrant 118. A successful response may indicate a list of the matched resources. At 604, the CSE 22a can then query and find any resources with this matching labels attribute. If any resources exist, the CSE 22a can include discovery information (e.g., an address) for these resources within the response it returns to the registrant 118 at 606. The labels attributes of the resource matches the specified value. ResourceType 0.n. The resourceType determine resources or services match the request. For example, the CSE 22a may compare filter criteria indicated in the discovery request to corresponding attributes associated with resources or services that the CSE 22a hosts);
Seed yet fails to explicitly disclose based on the first unique resource identifier matching the second unique resource identifier, generating a mapping between the first computing resource and the authentication system to indicate that access to the first computing resource is controlled by the authentication system; and 
However, Zhang discloses based on the first unique resource identifier matching the second unique resource identifier(Zhang, see paragraph [0017] receiving an authorization request of the access device, where the authorization request includes the second identifier, the identifier of the accessed resource, and authentication information that a user consents to resource access of the access device; generating the authorization credential when it is determined, according to the authentication information, that the user has a right to access the resource corresponding to the identifier of the accessed resource; sending an authorization binding request to the resource server in which the resource corresponding to the identifier of the accessed resource is located, where the authorization binding request includes the second identifier, the authorization credential, and the identifier of the accessed resource; receiving an authorization binding response sent by the resource server, where the authorization binding response includes information indicating that binding the second identifier, the authorization credential, and the identifier of the accessed resource is successful; sending an authorization response to the access device, where the authorization response includes the authorization credential, the identifier of the accessed resource, and information instructing to sign the authorization credential; receiving a signature binding request sent by the access device, where the signature binding request includes the second identifier, the authorization second authorization relationship to the first identifier, where the second identifier is an identifier that has been used by the access device. With reference to the second possible implementation of the fourth aspect, in a third possible implementation of the fourth aspect, the receiving module is further configured to receive an authorization binding request that is sent after the authorization server performs initial authorization on access of the access device to the resource corresponding to the identifier of the accessed resource, and the authorization binding request includes the second identifier, the authorization credential, and the identifier of the accessed resource), 
generating a mapping between the first computing resource and the authentication system to indicate that access to the first computing resource is controlled by the authentication system (Zhang, FIG. 6B and paragraphs [0294, 0303, 0340] Step 634: After the AE completes signing of the token, the AE initiates a signature binding request to the authorization server, where the request includes the AE-ID1, the token, a token signature, and the URI of the accessed resource. Step 636: After receiving the signature binding request of the AE, the authorization server generates a corresponding authorization relationship and stores the authorization relationship in an authorization relationship mapping table); and
storing, in the persistent storage, the mapping as one or more configuration items (Zhang, see paragraphs [0017-0022] storing the first authorization relationship, where the first authorization relationship includes a correspondence between the second identifier, the authorization credential, the signature of the authorization credential, and the identifier of the accessed resource. Where the authorization binding request includes the second identifier, the authorization credential, and the identifier of the accessed resource; storing, by the resource server, a correspondence between the second identifier, the authorization credential, and the identifier of the accessed resource as the second authorization relationship, and sending an authorization binding response to the authorization server, where the authorization binding response includes information indicating that binding the second identifier. Paragraphs [0033, 0036, 0093, 0098-0099] the sending module is further configured to send a the signature of the authorization credential is stored in a first authorization relationship and is obtained by the authorization server according to the authorization credential. The determining module is further configured to determine, according to the signature of the authorization credential in the second resource access request and the signature of the authorization credential sent by the authorization server, that the signature of the authorization credential in the second resource access request is valid. The server also includes an update module, configured to update the second authorization relationship according to the first identifier).
It would have been obvious to one of ordinary skill in the art at the time the invention was effectively filed to combine with the teaching Seed  with the teaching of Zhang to provide the method enables utilizing a machine-to-machine (M2M) system to identify an identity of the access device by determining whether the signature of the verification information is valid when the identifier of the access device in the M2M system changes so as to update an existing authorization relationship, so that the access device can continue to use the existing authorization relationship. The method enables realizing seamless resource access and guaranteeing service continuity of the M2M system, where the combination of elements according to known methods would yield a predictable result (Zhang, see paragraphs [0037, 0086).

With respect to claims 2 and 15, Seed-Zhang teaches the computing system, wherein the second attributes of the authentication system comprise one or more of:
 (i) a partition of the remote computing system in which the authentication system is disposed,
(ii) a service name of the authentication system (Zhang, see FIG. 5 and [0250, 0156, 0162-0163] FIG. 5, authorization update performed based on an ACP authorization architecture.  Step 508: The resource server (H-CSE) makes an access control decision according to information carried in the access request. FIG. 6A and [0244-0249] Step 614: An authorization server returns an authorization authentication. Step 616: The AE receives the authorization response sent by the authorization server; and when detecting that the response includes the flag bit for requesting user authentication, the AE instructs a user to enter user authentication information into the AE), 
(iii) a geographic region in which the authentication system resides (Seed, see paragraph [0035, 0052] the registrant has been denied to use when accessing the grantedResources or grantedServices. grantedLocation Based on the targeted Locations specified in the discovery request, these are the locations (geo, network, indoor, etc.) the registrant has been granted to access the discovered resources from), 
(iv) an account associated with the authentication system, or (v) an alphanumeric identifier associated with the authentication system, and wherein the operations further comprise: 
obtaining the second unique resource identifier by combining two or more of the second attributes according to a predetermined format (Zhang, see paragraphs [0250-0252] the user may enter an account and a password of the user by using the interaction interface. When the device does not support a user interaction operation, the user may complete input of user information by using another interaction device. In addition, the user may complete input of identity information by using an object such as an identity card that can prove an identity of the user. A manner for entering the user authentication information is out of a discussion scope of the present invention and does not affect the solutions of the present invention. For brevity, in the solutions of the present invention, it is assumed that the device has the user interaction interface, and the user enters an account user1 and a password password1 of the user into the AE by using the interaction interface. Step 618: The user enters the user authentication information).
 
 With respect to claims 5 and 16, Seed-Zhang teaches the computing system, wherein the first attributes are obtained prior to obtaining the second attributes, and wherein obtaining the second attributes of the authentication system comprises:

transmitting, to the remote computing system and based on the entry point, a request for the second attributes of the authentication system (Zhang, see paragraphs [0121-0126] Step 412: The resource server returns an ACP resource creation response to the authorization server the H-CSE returns the ACP resource creation response to the AS. The response includes an HTTP 200 response code.  The ACP resource creation response returned by the H-CSE to the AS is: HTTP/1.1 200 OK. A status code of an HTTP response is "200", indicating that the H-CSE has already completed creation and binding of the corresponding ACP resource. In an HTTP message body, ""resourceID": "/CSE0003/ACP0001"" indicates that the ACP ID allocated by the H-CSE to the created ACP is "/CSE0003/ACP0001". A CSE ID of the H-CSE is added before the ACP ID, so as to uniquely identify the ACP resource in the M2M system); and
receiving, from the remote computing system, the second attributes(Zhang, see paragraph [0017] receiving an authorization request of the access device, where the authorization request includes the second identifier, the identifier of the accessed resource, and authentication information that a user consents to resource access of the access device; generating the authorization credential when it is determined, according to the authentication information, that the user has a right to access the resource corresponding to the identifier of the accessed resource; sending an authorization binding request to the resource server in which the resource corresponding to the identifier of the accessed resource is located, where the authorization binding request includes the second identifier, the authorization credential, and the identifier of the accessed resource; receiving an authorization binding response sent by the resource server, where the authorization binding response includes information indicating that binding the second identifier, the authorization credential, and the identifier of the accessed resource is successful; .

With respect to claims 6 and 17, Seed-Zhang teaches the computing system, wherein the first attributes are obtained prior to obtaining the second attributes, and wherein the operations further comprise:
determining a content of the first unique resource identifier, wherein the plurality of computing resources comprises a plurality of types of computing resources, and wherein each respective type of computing resource of the plurality of types of computing resources is associated with a corresponding unique resource identifier content (Zhang, see paragraph [0163, 0226] after the H-CSE receives the resource access request of the AE, the H-CSE first parses out the URI of the accessed resource in the resource access request, that is, a URL address "/CSE0003/resource1" in a GET request, and locally searches for a corresponding resource resource1. Then, the H-CSE parses the resource access request to obtain the AE-ID2, that is, a URL query string "/CSE0006/CAE0003" in the GET request. Finally, the H-CSE finds, in an accessControlPolicyIDs attribute value of the corresponding resource resource1, an ACP ID list bound to the resource, and determines, according to an access control decision process described in the background, whether the AE has a right to access the resource. Paragraph [0317] when the resource server determines that the received resource access request includes no access token, the resource access response returned by the resource server to the access device carries a URI of the authorization server, so that the access device applies to the authorization server for authentication authorization. The authorization server verifies that the user authentication information is valid, and generates the access token. The authorization server sends the access device identifier, the URI of the accessed resource, and the generated access token to the resource server, so that the resource server generates the corresponding authorization relationship. The authorization server sends the generated access token and the URI of the accessed resource to the AE, and requests the AE to sign the access token. The AE stores a correspondence between the URI of the accessed resource and the access token. The authorization server 
based on the content, selecting a discovery pattern from a plurality of discovery patterns available for discovering the plurality of types of computing resources (Zhang, see paragraphs[0163, 0227] Step 608: The resource server (H-CSE) receives the resource access request sent by the AE, and makes an access control decision. If the accessed resource can be locally found, the H-CSE searches a resource attribute for a corresponding authorization relationship according to an access device identifier and an access token in the resource access request. When the resource access request sent by the AE is the initial resource access request, and as described in step 606, the request includes no access token parameter, the H-CSE determines that the AE initially accesses the resource, and the H-CSE initiates an authorization procedure. Step 610: The resource server returns a resource access response to the AE. The response includes a redirection response code and a redirection URL. The redirection URL points to a dynamic authorization address of an authorization server in the M2M system); and
executing the selected discovery pattern to cause the discovery application to obtain the second attributes of the authentication system (Zhang, see paragraphs [0264-0274] Step 624: The authorization server sends an authorization binding request to the resource server, where the authorization binding request includes the AE-ID1, the token, and the URI of the accessed resource. After the AS generates the token for the authorization request of the AE, the AS sends the authorization binding request to the H-CSE, to instruct the H-CSE to bind and store authorization information and a corresponding resource. The authorization binding request includes the AE-ID1, the token, and the URI of the accessed resource).

With respect to claims 7 and 18, Seed-Zhang teaches the computing system, wherein the first attributes are obtained prior to obtaining the second attributes, wherein the first attributes are stored in the persistent storage as one or more additional configuration items, and wherein determining that the first unique resource identifier matches the second unique resource identifier comprises:
in response to obtaining the second attributes, parsing the one or more additional configuration items to identify therein one or more unique resource identifiers(Seed, see  paragraph [0040] A second AE 20b is authenticated by and registered to the CSE 22a to which the first AE 20a is registered. the second 118b may register to the CSE 22a.  FIG. 10, at 1004, after the second registrant 118b is authenticated and registered to the CSE 22a for example, the second registrant 118b can query the CSE 22a in a permission based manner. For example, the second registrant 118b may query the CSE 22a to discover resources or services that the second registrant 118b desires. Such a query may be referred to as a discovery request. The desired resources or services may be owned by the first registrant 118a. The second registrant 118a may desire to perform operations on the desired resources or services. Within the discovery request, the second registrant 118 can include various information that allows the CSE 22a to qualify a discovery response based on permissions); and
identifying the first unique resource identifier within the one or more unique resource identifiers (Zhang, paragraphs [0120-0126] after the H-CSE completes creation of the ACP resource, the H-CSE allocates an ACP ID to the ACP resource and sets the ACP ID as a resource identifier (that is, a resourceID attribute) of the ACP resource, for example, "ACP0001". The ACP ID uniquely identifies the ACP resource within the H-CSE. The H-CSE returns the ACP resource creation response to the AS. The response includes an HTTP 200 response code (equivalent to programmatic code). For example, the ACP resource creation response returned by the H-CSE to the AS. Status code of an HTTP response is "200", indicating that the H-CSE has already completed creation and binding of the corresponding ACP resource. In an HTTP message body, ""resourceID": "/CSE0003/ACP0001"" indicates that the ACP ID allocated by the H-CSE to the created ACP is "/CSE0003/ACP0001". A CSE ID of the H-CSE is added before the ACP ID, so as to uniquely identify the ACP resource in the M2M system).

With respect to claims 8  and 19, Seed-Zhang teaches the computing system, wherein the second attributes are obtained prior to obtaining the first attributes, wherein the first attributes are stored 
in response to storing the first attributes in the persistent storage, parsing the one or more additional configuration items to identify therein one or more unique resource identifiers (Zhang, see paragraphs [0009-0010] The method also includes sending a first authorization update response to the access device, where the first authorization update response includes signature request information, and the signature request information instructs the access device to sign verification information. The method also includes receiving a signature verification request sent by the access device, where the signature verification request includes the first identifier, the verification information, and a signature of the verification information, and the signature of the verification information is generated by the access device by signing the verification information by using a key. The method also includes obtaining a stored first authorization relationship according to the verification information. The method also includes determining, according to the signature of the verification information in the received signature verification request and a signature of verification information stored in the first authorization relationship, that the signature of the verification information in the signature verification request is valid. The method also includes updating the first authorization relationship according to the first identifier); and
identifying the first unique resource identifier within the one or more unique resource identifiers (Zhang, see paragraphs [0009-0011] a first possible implementation of the first aspect, before the receiving a first authorization update request sent by an access device, the method further includes: receiving, by a resource server, a resource access request sent by the access device, where the resource access request includes the first identifier and an identifier of an accessed resource. The method also includes determining, by the resource server according to the first identifier and the identifier of the accessed resource that the access device has no right to access a resource corresponding to the identifier of the accessed resource. The method also includes rejecting, by the resource server, the request of the access device for accessing the resource corresponding to the identifier of the accessed resource, and sending, to the access device, a resource access response including a redirection address, where the redirection address is an authorization update port address of an authorization server, so that 

With respect to claim 9, Seed-Zhang teaches the computing system, wherein the first attributes additionally indicate a third unique resource identifier associated with an additional computing resource of the plurality of computing resources, wherein the operations further comprise:
obtaining, from the remote computing system, third attributes of the additional computing resource associated with the third unique resource identifier (Seed, see paragraphs [0034, 0040-0042] FIG. 6, illustrated, at 602, the discovery request is sent to the receiver CSE 22a. The discovery request includes an identity (ID) of the registrant 118, an address of the resource where the discovery operation is to begin (e.g., <CSEBase>), and discovery filter criteria (fc). The filter criteria describe the rules that the CSE 22a uses to perform the resource discovery. The rules may indicate one or more resource types, a creation time, and one or more labels that match. The first AE 20a is authenticated by and registered to oneM2M CSE 22a. Thus, the first AE 20a may also be referred to as a first registrant 118a.  FIG. 10 and paragraphs [0044-0045, 0071] further discloses at 1002, preliminary operations are performed so that a plurality of registrants 118 are registered to the CSE 22a. For example, a first registrant 118a of the plurality of registrants 118 may mutually authenticate with the CSE 22a, and the first registrant 118a may register to the CSE 22a. The first registrant 118a may create one or more resources or services which are hosted within the CSE 22a. The communication network 12 may comprise of multiple access networks that provides content such as voice, data, video, messaging, broadcast, or the like to multiple users. For example, the communication network 12 may employ one or more channel access methods);
determining, based on the third attributes, that the additional computing resource utilizes the authentication system by way of the first computing resource (Seed, see paragraphs [0034-0036] At 604, the CSE 22a uses the filter criteria when processing and searching for resources that match the discovery request. Accordingly, such resources may be referred to as matching resources. A match occurs when the service layer 22a finds a resource that matches or meets the filter criteria that are specified in the request that that was sent at 602, and when the registrant 118 has sufficient permissions to access the discovered resource. At 606, in accordance with illustrated example, one or more matching resources are discovered, and thus the receiver CSE 22a sends a successful response to the registrant 118. A successful response may indicate a list of the matched resources. At 604, the CSE 22a can then query and find any resources with this matching labels attribute. If any resources exist, the CSE 22a can include discovery information (e.g., an address) for these resources within the response it returns to the registrant 118 at 606. The labels attributes of the resource matches the specified value. resourceType 0..n The resourceType attribute of the resource is the same as the specified value. FIG. 10 and paragraphs [0046-0053, 0056] further discloses the CSE 22a can allow a given registrant to optionally include permission-based filter criteria in a discovery request. The filter criteria can be used by the CSE 22a to qualify whether or not a resource or service matches and is included in a discovery response. Based on detecting a permission-based discovery request, the CSE 22a can process the discovery request to determine resources or services match the request. For example, the CSE 22a may compare filter criteria indicated in the discovery request to corresponding attributes associated with resources or services that the CSE 22a hosts);
updating the mapping to indicate that the additional computing resource utilizes the authentication system by way of the first computing resource to control access to the additional computing resource (Zhang, see paragraphs [0155] If the authorization relationship is found, a value "JYUI7BZO92" is assigned to a signature attribute value of the authorization relationship. If the authorization relationship is not found, a new authorization relationship is constructed, and the authorization relationship is added to the authorization relationship mapping table. In this embodiment of the present invention, as shown in Table 1, the authorization relationship corresponding to the AE does not exist in the authorization relationship mapping table of the AS. Therefore, the AS generates a new authorization relationship and updates the new authorization relationship into the authorization relationship mapping table. An updated authorization relationship mapping table is shown in Table 5. Data in the third row in this table is the newly generated authorization relationship.); and
storing, in the persistent storage, the mapping as updated ((Zhang, see paragraphs [0017-0024] storing the first authorization relationship, where the first authorization relationship includes a correspondence between the second identifier, the authorization credential, the signature of the authorization credential, and the identifier of the accessed resource. Where the authorization binding storing, by the resource server, a correspondence between the second identifier, the authorization credential, and the identifier of the accessed resource as the second authorization relationship, and sending an authorization binding response to the authorization server, where the authorization binding response includes information indicating that binding the second identifier. The receiving module is further configured to receive a signature verification request sent by the access device, where the signature verification request includes the first identifier, the verification information, and a signature of the verification information, and the signature of the verification information is generated by the access device by signing the verification information by using a key. The server also includes an obtaining module, configured to obtain a stored first authorization relationship according to the verification information in the signature verification request received by the receiving module. The server also includes a determining module, configured to determine, according to the signature of the verification information in the received signature verification request and a signature of verification information stored in the first authorization relationship, that the signature of the verification information in the signature verification request is valid. The server also includes and an update module, configured to update the first authorization relationship according to the first identifier).

With respect to claim 10, Seed-Zhang teaches the computing system, wherein the first computing resource comprises a dynamically triggerable software function, and wherein the first attributes include programmatic code that contains therein the first unique resource identifier (Zhang, paragraphs [0120-0126] after the H-CSE completes creation of the ACP resource, the H-CSE allocates an ACP ID to the ACP resource and sets the ACP ID as a resource identifier (that is, a resourceID attribute) of the ACP resource, for example, "ACP0001". The ACP ID uniquely identifies the ACP resource within the H-CSE. The H-CSE returns the ACP resource creation response to the AS. The response includes an HTTP 200 response code (equivalent to programmatic code). For example, the ACP resource creation response returned by the H-CSE to the AS. Status code of an HTTP response is "200", indicating that the H-CSE has already completed creation and binding of the corresponding ACP resource. In an HTTP message body, ""resourceID": "/CSE0003/ACP0001"" indicates that the ACP ID allocated by the 

With respect to claim 11, Seed-Zhang teaches the computing system, wherein the first computing resource comprises a data storage structure, and wherein the first attributes include: (i) contents of the data storage structure that indicate the first unique resource identifier (Zhang, paragraphs [0120-0126] after the H-CSE completes creation of the ACP resource, the H-CSE allocates an ACP ID to the ACP resource and sets the ACP ID as a resource identifier (that is, a resourceID attribute) of the ACP resource, for example, "ACP0001". The ACP ID uniquely identifies the ACP resource within the H-CSE. Paragraph [0146] further discloses specifically, the AE binds and locally stores the current AE-ID1 (first unique ID) and an M2M SP ID (M2M Service Provider Identifier). A storage method may be implemented by using an access device identifier mapping table, or another storage manner is used. During specific implementation, which storage method is used does not affect the solutions of the present invention. It is assumed that the AE end uses an access device identifier mapping table to store a correspondence between an AE-ID and an M2M SP ID) or 
(ii) metadata associated with the data storage structure that indicates the first unique resource identifier.

With respect to claim 12, Seed-Zhang teaches the computing system, wherein the first attributes comprise trigger events that cause the first computing resource to invoke execution of or provide access to another computing resource of the plurality of computing resources, and wherein at least one trigger event of the trigger events indicates the first unique resource identifier (Zhang, paragraphs [0120, 0218-0219] after the H-CSE completes creation of the ACP resource, the H-CSE allocates an ACP ID to the ACP resource and sets the ACP ID as a resource identifier (that is, a resourceID attribute) of the ACP resource, for example, "ACP0001". The ACP ID uniquely identifies the ACP resource within the H-CSE. Then, the H-CSE finds the corresponding resource, that is, "/CSE0003/resource1", according to the bound resource identifier in the ACP resource creation request, and adds the ACP ID of the created ACP resource, that is, "ACP0001", to an accessControlPolicyIDs the resource server triggers an authorization relationship update procedure. The M2M system determines an identity of an access device by verifying a signature of verification information (token signature) of the access device, and updates an existing authorization relationship. Therefore, the M2M device can implement seamless resource access, and service continuity of the M2M system is ensured).

With respect to claim 13, Seed-Zhang teaches the computing system, wherein obtaining at least one of (i) the first attributes or (ii) the second attributes comprises: 
generating a hypertext transfer protocol (HTTP) request that: (i) specifies, by way of one or more HTTP parameters, a function of an application programming interface (API) provided by the remote computing system, and (ii) includes authentication credentials for interacting with the AP(Zhang , see paragraphs [0117-0119] the ACP resource is created on a root node of the H-CSE. During specific implementation, the AS may define, in a URL of a POST request, a parent resource ID of the ACP resource that needs to be created. Which resource the ACP resource is created on does not affect the solutions of the present invention, and therefore is not limited in the present invention. "From" describes an ID of an originator of the resource creation request, that is, an URL address "http://authzserver.things.com" of the authorization server in this embodiment. An HTTP message body includes all attributes of the created ACP resource. ""ResourceType":"accessControlPolicy"" indicates that a type of the resource currently requested to be created is ACP);
transmitting the HTTP request to the remote computing system (Zhang, see paragraphs [0121-0126] Step 412: The resource server returns an ACP resource creation response to the authorization 
receiving, from the remote computing system, an HTTP response that contains an output of the function, wherein the output identifies the at least one of (i) the first attributes or (ii) the second attributes  (Zhang, see paragraphs [0143-0146] A URL in a POST request is a URI of the AE on an R-CSE. After receiving the request, the R-CSE forwards the signature request to the AE. In an HTTP message body, ""SigReq": "1"" is a signature request flag bit, indicating that the AE needs to sign the verification information. The verification information in this embodiment is the AE-ID1. Because the AE stores an identifier of the AE itself, the HTTP message body in the foregoing signature request does not need to include a verification information parameter. During specific implementation, when verification information in another form is used, the HTTP message body in the foregoing signature request may include a corresponding verification information parameter. After receiving the signature request of the AS, the AE first detects whether the HTTP message body includes the signature request flag bit "SigReq". When a resource access response includes a "SigReq" parameter and a value of the "SigReq" parameter is "1", the AE uses a preset signature algorithm and the device factory key to sign the corresponding verification information. Paragraphs [0237-0239] further discloses the AE receives the resource access response of the H-CSE and detects the HTTP status code. When the status code is "302", the AE sends the authorization request to the AS. For example, the authorization request sent by the AE to the AS is:  http://authzserver.things.com ).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable Seed et al. (US 20170318023) in view of Zhang (US 20180167397) further in view of Schiesser (US10972444).

With respect to claim 3, Seed-Zhang teaches the computing system, yet fails to explicitly disclose wherein the second attributes identify a user pool of the authentication system, wherein the user pool defines a plurality of service identifiers usable to access one or more computing resources of the plurality of computing resources, wherein the first computing resource utilizes the user pool to control access to the first computing resource, and wherein the mapping further indicates the user pool of the authentication system.  
However, Schiesser discloses wherein the second attributes identify a user pool of the authentication system, wherein the user pool defines a plurality of service identifiers usable to access one or more computing resources of the plurality of computing resources, wherein the first computing resource utilizes the user pool to control access to the first computing resource, and wherein the mapping further indicates the user pool of the authentication system (Schiesser, see Col. 2, lines 1-56, mapping between user account information maintained by a first resource and user identity information maintained by a second resource, the first and second resource associated with different security measures to control access those resources. Example resources may include a user pool database and an identity pool database. In accordance with various embodiments, a multi-tenant resource provider, such as a cloud computing platform.  A mapping service, which may be provided by the resource provider, obtains a set of login credentials and authenticates the login credentials with the user pool. In response to receiving the login credentials and an authentication request, the user pool returns the account credentials associated with the login credentials. The account credentials are used to access the account identifier, and other associate account identity data in the identity pool. Thus, the login credentials from the user pool and the account identifier from the identity are obtained and associated with each other in a searchable data structure. In an embodiment, based on the association between the login credentials and the account identifier, other account user information stored in the user pool that was already associated with the login credentials may also be mapped to the various account identity information in the identity pool that were already associated with the account identifier. FIG. 3 and Col. 10, lines 8-53, system implementation 300 for mapping the account user information stored in the user pool with corresponding account identity information stored in the identity pool, in accordance with various embodiments. The system 300 includes a resource provider environment 310, such as generated by the 
It would have been obvious to one of ordinary skill in the art at the time the invention was effectively filed to combine with the teaching Seed-Zhang with the teaching of Schiesser to provide the desired amount of computing resources is acquired without having to worry about acquiring physical machines. Consistent and continuous end user experience across different sessions and across different user devices are enabled, where the combination of elements according to known methods would yield a predictable result (Schiesser, see Col. 9, lines 49-60).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable Seed et al. (US 20170318023) in view of Zhang (US 20180167397) further in view of Austin et al.(US 20160306964).

With respect to claim 4, Seed-Zhang teaches the computing system, yet fails to explicitly disclose wherein the second attributes identify an identity pool of the authentication system, wherein the identity pool defines one or more temporary resource credentials usable to provide access to one or more other computing resources of the plurality of computing resources, and wherein the mapping further indicates the identity pool of the authentication system. 
However, Austin discloses wherein the second attributes identify an identity pool of the authentication system, wherein the identity pool defines one or more temporary resource credentials usable to provide access to one or more other computing resources of the plurality of computing resources, and wherein the mapping further indicates the identity pool of the authentication system (Austin et al.(US 20160306964 ) Austin, see paragraphs [0087-0088] The provisioner unit 340 provisions the new task isolation environment 350 by programmatically creating user credentials for a new user account 121 b on the computer device 200, and presenting those created user credentials to the operating system 202. Suitably, the new user account 121 b is a temporary user account with a programmatically created password set by the provisioner 340. For example, the provisioner 340 may generate the password as a random or pseudo-random character string. The content isolation agent 300 automatically provides these user credentials to generate the temporary user account 121 b. Thus, the computer device 200 now contains the original user account 121 of the original logged in user, as a first user account or primary user account. The device also now contains a second user account 121 b, namely the temporary user account or secondary user account, which has been programmatically created by the provisioner 340. The temporary user account 121 b has a corresponding access token 122 b, created by logging on with the credentials of the temporary user account 121 b as just created).
It would have been obvious to one of ordinary skill in the art at the time the invention was effectively filed to combine with the teaching Seed-Zhang with the teaching of Austin to provide the method includes the device leverages inherent security of an existing security model to provide a mechanism for content isolation using isolation environments. The device provides controlling access to named objects to allow the device to function on a practical level and achieve the function desired by a user, while maintaining effective isolation. The device allows a clipboard mechanism to maintain security and isolation of a potentially malicious code by being able to confine potentially insecure clipboard operations to remain solely within security context. The device allows the clipboard mechanism to dependably and securely support clipboard functionality, thus allowing the user to perform copy, cut and paste operations any number of times in any order, while switching security contexts between the secondary user account and the primary user account, where the combination of elements according to known methods would yield a predictable result (Austin, see paragraphs [0014-0015]).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. This includes:

Patent No. US 7865931 Access authorizing system for application in protected computer network during electronic transactions, has application server determining whether combined attributes meet logical operator to authorize request. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELIZABETH KASSA whose telephone number is (571)270-0567.  The examiner can normally be reached on Monday -Friday 9 AM -6 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached on 517-272-4001.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




05/22/2021

/ELIZABETH KASSA/Examiner, Art Unit 2457                                                                                                                                                                                                        
/HEE SOO KIM/Primary Examiner, Art Unit 2457