DETAILED ACTION
1.	This action is responsive to communications regarding the applicant’s amendments and arguments, filed on 03/08/2021. 
2. 	Claims 1-2, 4-12, 14-22 are pending.
Response to Arguments and Amendments
3.	Applicant’s arguments filed on 03/08/2021, with respect to the 35 U.S.C 103(a) rejections have been fully considered but they are not persuasive.
4.	In pages 7-8, of the response filed, applicant argues that Linnakangas fails to teach or disclose the recited limitation of “creating, by the network control apparatus and based on the determined existing chain of trust relationships from the first entity via the at least one intermediate entity to the second entity. at least one secured direct trust relationship between the first entity and the second entity, wherein the created at least one secured direct trust relationship between the first entity and the second entity does not include the determined existing chain of trust relationships from the first entity via the at least one intermediate entity to the second entity” because the cited references do not appear to suggest “shortening of an already determined chain”.             In response to the argument, the examiner disagrees. As recited in the Office action dated 12/9/2020, an “existing” chain is determined (col. 2, lines 30-39, where an event initiated by a second host device on a first host device is the existing chain, the intermediary is the data processing device. Note that the limitation recites “by the network control apparatus, an existing chain of trust relationships from a first entity via at least one intermediate entity”, which can be interpreted as the “determining” via the intermediate entity and not necessarily that the trust is via the intermediate entity, as argued). Linnakangas then discloses (col. 2, lines 30-39, and col. 15, lines 1-6) storing information for determination of a trust relationship, which is mapped to creating the direct trust relationship, as claimed.This newly created information (the trust relationship) is different than the log information which determined the chain of trust. 
In page 9, of the response filed, applicant argues that Linnakangas fails to teach or disclose the recited limitation of “shorting of an existing trust relationship chain”.
.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


5.	Claims 1-2, 4-7, 9, 11-12, 14-17, 19-22 are rejected under 35U.S.C 103 as being unpatentable over Tommi Linnakangas (US 9319396), in view of Paul C. Van Oorschot (US 6134550), hereinafter Oorschot.

	Regarding claim 1:
	Linnakangas discloses a method for controlling, by a network control apparatus of a computerised network system, trust relationships between entities capable of communicating with each other in the computerised network system, the method comprising: 
receiving at a data processing device information from at least one source of log information in the computerized system, detecting based at least in part on said received log information at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device, and storing information for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device (Linnakangas, column 2, [lines 30-39).
Creating, by the network control apparatus and based on the determined existing chain of trust relationships from the first entity via the at least one intermediate entity to the second entity, at least one secured direct trust relationship between the first entity and the second entity; wherein the created at least one secured direct trust relationship between the first entity and the second entity does not include the determined existing chain of trust relationships from the first entity via the at least one intermediate entity to the second entity if information about the originator is available such as originating host network address, or key fingerprint used for authentication, or userID at the originating host, a dynamic trust relationship record is created as described above, with the outside network address used as the destination host address; this address is obtained from the gateway at the perimeter (Linnakangas, column 15, [lines 1-6]); and further aspect a data processing device can identify a successful login to a first host device from a second host device using a public key identified by a fingerprint for authentication based on log information conveyed from the first host device, it is determined that at least one of the first host device and the second host device is not being managed by a management system, and a database is then updated to record that a key identified by the fingerprint is used outside the environment managed by the management system (Linnakangas, column 2, [lines 55-65]).
and causing, by the network control apparatus, storing information of the created at least one secured direct trust relationship between the first entity and the second entity in a database of trust relationships the storing may comprise storing one of a trust relationship record provided based on the detected event and information of the detected event (Linnakangas, column 11, [lines 28-31]). 
trust relationships between certification authorities determine how certificates issued by one certification authority may be utilized or verified by entities certified by distinct certification authorities such as those in other networks. Since public key certificates provide a mechanism for obtaining authenticated public keys, provided the verifier has a trusted verification public key of the certification authority which signed the certificate, trusted paths may be established and maintained among the certification authorities and hence Subscribers in large computer networks (Oorschot, column 1, line 65 - column 2, line 7). Therefore, it would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Linnakangas with that of Oorschot in order to secure information, and more particularly to computer network Security Systems using cryptographic techniques that employ certificates (Oorschot, column 1, [lines 6-10]). 

Regarding claim 2:
Linnakangas and Oorschot disclose routing data between the first entity and the second entity according to the created at least one secured direct trust relationship the log information may be analyzed to obtain at least one key used for authenticating the security protocol related event, where after at least one fingerprint identifying the key is determined for a key configured as granting access to at least one user account on at least one host, and the determined fingerprints are stored together with identification of the corresponding key, identification of a user account for which the corresponding key was configured as granting access, and an identification of a host or host equivalence group on which the corresponding key was configured as granting access to the user account, in a database as a key (Linnakangas, column 11, [lines 39-50]).

Regarding claim 4:
Linnakangas and Oorschot disclose continuing storing information of the chain of trust relationships in the database after the creation of the at least one secured direct trust relationship the record can be for example a data structure, a database row, or a combination of data structures or database rows. The record can comprise one or more public key fingerprints (or identification of key(s)), source device network address, destination device network address, authenticated userID, originating userID, and other available information (Linnakangas, column 6, [lines 29-35]).

Regarding claim 5:
Linnakangas and Oorschot disclose replacing information of the chain of trust relationships by the information of the created at least one secured direct trust relationship update of a database to indicate that a key corresponding to the fingerprint has been used for logging into the first user account on the first host device at the time of the login (Linnakangas, column 12, [lines 1-3]).

Regarding claim 6:
Linnakangas and Oorschot disclose comprising displaying a graphical presentation comprising the created at least one secured direct trust relationship a computer can be configured to analyze dynamic and static trust relationships obtained by any of the aforementioned methods, to calculate, derive, or estimate metrics and to make them available to users or computer services in human-readable form, such as text files, graphical plots (Linnakangas, column 12, [lines 60-65]).

Regarding claim 7:
Linnakangas and Oorschot disclose comprising determining whether at least a part of the chain of trust relationships can be replaced by a secured direct trust relationship a localized scanning of locations known to potentially contain information of access granting public keys of the user may be triggered in response to detection of a connection from the second host device to the first host device by a user authenticated by a public key represented by its fingerprint.(Linnakangas, column 11, [lines 59-63]). Examiner interprets after use authenticated and able to access to other user that chain of trust relationship replaced.  

Regarding claim 9:
computer networks can be divided into multiple, distinct authorization domains and crossing authorization boundaries between those Zones can be considered a violation of policy. A set of rules can be defined to trigger a notification whenever a static or a dynamic trust relationship is found whose source and destination hosts belong to different authorization domains (Linnakangas, column 9, [lines 25-31]).

Regarding claim 11:
Claim 11 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 12:


Regarding claim 14:
Claim 14 is rejected under the same reason set forth in rejection of claim 4.

Regarding claim 15:
Claim 15 is rejected under the same reason set forth in rejection of claim 5.

Regarding claim 16:
Claim 16 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 17:
Claim 17 is rejected under the same reason set forth in rejection of claim 7.

Regarding claim 19:
Linnakangas and Oorschot disclose comprising one of a key manager or an intermediate data capturing apparatus a server can provide information about successful logins over a security protocol, or a gateway or another intermediate node can provide information about security protocol sessions that are routed through it (Linnakangas, column 4, [lines 5-8]).

Regarding claim 20:
Claim 20 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 21:
Linnakangas and Oorschot disclose wherein each of the first entity, the at least one intermediate entity, and the second entity comprises a device that uses at least one of a key managed by a key manager or a certificate issued by a certificate authority depending upon the degree of compilation, a subscriber, certification authority, separate chain constructing server or other entity uses the compiled data as data representing the preferred certificate chain, or constructs a preferred certificate chain using the certificate chain data (Oorschot, column 4, [lines 46-51]). Therefore, it would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Linnakangas with that of Oorschot in order to secure information, and more particularly to computer network Security Systems using cryptographic techniques that employ certificates (Oorschot, column 1, [lines 6-10]). 

Regarding claim 22:
Linnakangas and Oorschot disclose wherein the created at least one secured direct trust relationship between the first entity and the second entity comprises a shortened trust relationship for use instead of the existing chain of trust relationships and is independent of the at least one intermediate entity if information about the originator is available such as originating host network address, or key fingerprint used for authentication, or userID at the originating host, a dynamic trust relationship record is created as described above, with the outside network address used as the destination host address; this address is obtained from the gateway at the perimeter (Linnakangas, column 15, [lines 1-6])

6.	Claims 8, 18 are rejected under 35U.S.C 103 as being unpatentable over Tommi Linnakangas (US 9319396), in view of Paul C. Van Oorschot (US 6134550), as applied to claim 1, and further in view of Sandeep Bhatt (US20070061125), hereinafter Bhatt.


Regarding claim 8:
Linnakangas and Oorschot disclose determining that the chain of trust relationships determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device (Linnakangas, column 2, [lines 30-39-66]), but fail to disclose  violates a policy, a rule, or a setting, and in response thereto replacing at least a segment of the chain of trust relationships with a secured direct trust relationship between end nodes of the access paths are collected in a “validation set”, if there are any permit polices that do not have at least one access path, there are reported as violations (Bhatt, par-33), and further the user may use the trouble-shooting tool to compute all the service that are accessible to any particular entity in the enterprise or all the entities that can access a particular service, user can compute the actual paths by which a particular service is made available to a client entity (Bhatt, par-37). It would have been obvious to one ordinary skill in the art at the time of the invention was made that Linnakangas with that of Bhatt in order to ensure that important or sensitive information does not fall into the wrong hands (Bhatt, par-3).

Regarding claim 18:
Claim 18 is rejected under the same reason set forth in rejection of claim 8.

7.	Claim 10 is rejected under 35U.S.C 103 as being unpatentable over Tommi Linnakangas (US 9319396), in view of Paul C. Van Oorschot (US 6134550), as applied to claim 1, and further in view of Men Long (US20110182427), hereinafter Long.

	Regarding claim 10:
	Linnakangas and Oorschot disclose communications between the first entity and the second entity the security protocol related event may comprise a login to a server or a communication session routed through an inter mediate node (Linnakangas, column 11, [lines 25-27]), but fail to disclose decrypting by an intermediate apparatus at least a part of communications between the first entity and the second entity.
	However, Long teaches decrypting by an intermediate apparatus at least a part of communications between the first entity and the second entity traffic transmitted to one or more nodes 120 via one or more sessions 90, and may decrypt, at least in part, the respective traffic that it receives from the one or more nodes 120 via one or more session 90 (Long, par-33). It would have been obvious to one ordinary skill in the art at the time of the invention was made that Linnakangas with .
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH H LE whose telephone number is (571)272-8556.  The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nickerson Jeffrey L can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Kevin Bechtel/Primary Examiner, Art Unit 2491