DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/30/2020 has been entered.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1-3, 5-10, 12-17, 19-23 are pending.  Claims 4, 11, 18 are cancelled.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/26/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
The information disclosure statement (IDS) submitted on 12/31/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 2, 9, 16 are objected to because of the following informalities:  
Claims 2, 9, and 16 contain the following: “sending the registration request message to the server configured to stores”.  The word “stores” should be “store”.  
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 7-8, 10, 14-15 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Atherton (PGPUB 2015/0046707), and further in view of Poon et al (PGPUB 2014/0156531) and Baghdasaryan et al (PGPUB 2011/0082791).

Regarding Claim 15:
Atherton teaches a computer-implemented system (paragraph 32, smartphone receives transaction information), comprising: 
one or more computers (paragraph 32, smartphone); and 
one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations comprising (paragraph 153, computer readable storage media storing instructions provided to controller for execution): 
(paragraph 31-32, consumer selects products to be purchased from merchant, i.e. purchase request; information detailing proposed purchase is presented at consumer’s smartphone; smartphone receives transaction information); 
collecting first biometric authentication information of a user associated with the service request (paragraph 32, smartphone captures biometric information used to identify if the user is an authorized user); 
comparing the first biometric authentication information with preset biometric authentication information (paragraph 41, 48, bio/crypto module stores biometric templates for one or more enrolled users; bio/crypto module biometrically identifies authorized consumer based on comparison of live biometric data gathered by the smartphone with biometric template data stored in bio/crypto module); 
determining the first biometric authentication information and the preset biometric authentication information are consistent (paragraph 41, 48, bio/crypto module biometrically identifies authorized consumer based on comparison of live biometric data gathered by the smartphone with biometric template data stored in bio/crypto module); 
reading a pre-stored digital signature certificate private key (paragraph 32, 42, 48, bio/crypto module internally generates public/private key pair associated with biometric identification of authorized consumer; if bio/crypto module biometrically identifies the authorized consumer, it will enable relevant private bio-key of biometrically authorized consumer in order to perform cryptographic operation); 
digitally signing the service request according to the digital signature certificate private key (paragraph 32, 70, bio/crypto module enables authorized consumer’s private encryption bio-key for use in generation of a digital signature corresponding to the product purchase that the authorized consumer has biometrically authorized); 
(paragraph 32, authenticated transaction request comprising transaction information, digital signature, and information identifying authorized user is generated by the smartphone); 
sending the biometric information verification message to a server, wherein the server is configured to read a pre-stored digital signature certificate public key corresponding to the digital signature certificate private key (paragraph 30, 32, 83, authenticated transaction request transmitted by smartphone to transaction approval center, which verifies the authentication request using consumer’s public cryptographic key obtained from public key server); and 
receiving, from the server, authentication result information after the server verifies the biometric information verification message according to the digital signature certificate public key (paragraph 31, 93, if transaction is approved, transaction approval center communicates approval for the purchase back to the consumer’s smartphone and also to the merchant; the authorized consumer then has a complete record of the transaction, including a copy of the purchase data packet, purchase data bundle, and transaction approval center purchase approval).
Atherton does not explicitly teach wherein the digital signature certificate private key is generated based on a verification of an ID of the user, an ID of the user device, and result information of the comparison between the first biometric authentication information and the preset biometric authentication information.
However, Poon teaches the concept wherein a digital signature certificate private key is generated based on a verification of an ID of a user, an ID of a user device, and result information of biometric authentication (paragraph 226-227, Fig. 20, mobile device receives at least payment ID and supplementary ID and transmits to payment gateway; verification module verifies payment ID and supplemental ID and provides verification result; mobile device ID is generated and saved to mobile device; generation of private key is performed upon successful verification of payment ID and supplementary ID, and registration of mobile device ID; private key is therefore generated based on completion of these elements; paragraph 58-59, payment ID identifies user account; supplemental data includes biometric data and GPS data (i.e. location ID of a terminal device)); and
Atherton teaches wherein the biometric authentication is a comparison between the first biometric authentication information and the preset biometric authentication information (paragraph 41, 48, bio/crypto module stores biometric templates for one or more enrolled users; bio/crypto module biometrically identifies authorized consumer based on comparison of live biometric data gathered by the smartphone with biometric template data stored in bio/crypto module).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the digital certificate private key generation teachings of Poon with the biometric authentication system of Atherton, in order to provide additional means of authenticating a user prior to generating or updating public/private key pairs, thereby improving the strength of the authentication and preventing impersonation, identity theft, or other attacks while conducting transactions.
Neither Atherton nor Poon explicitly teaches obtaining, by a user device, a first invocation message;
responsive to obtaining the first invocation message, determining the user device supports collecting biometric information and that preset biometric authentication information is stored on the user device; and
sending, by the user device, information based on determining the user device supports collecting the biometric information and that the preset biometric authentication information is stored on the user device to a payment client.
However, Baghdasaryan teaches the concept of obtaining, by a user device, a first invocation message (abstract, request for secure financial transaction received from user, who is authenticated with a biometric device; paragraph 54, system determines that Web site supports biometric authentication by monitoring web site data and detecting certain types of transactions (i.e. messages) on secure web sites; when secure transaction is initiated, system checks computing device accessing web site to determine if computing device includes fingerprint sensor or other biometric device; if so, enrollment and/or authentication process is activated);
responsive to obtaining the first invocation message, determining the user device supports collecting biometric information and that preset biometric authentication information is stored on the user device (paragraph 54, system checks computing device accessing web site to determine if computing device includes fingerprint sensor or other biometric device; if so, enrollment and/or authentication process is activated; paragraph 74, Fig. 17, procedure for enrolling user of biometric authentication system; Fig. 17 shows enrollment process, wherein user is asked to enroll with biometric device and sends enrollment request to biometric service; user provides biometrics; biometric service binds user name enrollment template shared key with secure transaction web site location (STWSL), and stores in secure storage (i.e. preset biometric authentication information is determined to be stored on user device); and
sending, by the user device, information based on determining the user device supports collecting the biometric information and that the preset biometric authentication information is stored on the user device to a payment client (paragraph 74, Fig. 17, biometric browser extension sends sensor ID to secure transaction web server and inserts text saying that biometric device has been added, i.e. information is sent based on determining the user device supports collecting biometric information and that preset biometric authentication information is stored).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the biometric enrollment request message teachings of Baghdasaryan with the biometric authentication system of Atherton in view of Poon, in order to inform a user that 

Regarding Claim 17:
Atherton in view of Poon and Baghdasaryan teaches the computer-implemented system of claim 15.  In addition, Atherton teaches wherein biometric authentication information comprises one or more of fingerprint information, face image information, and voice information (paragraph 61, camera used to capture image for iris or facial recognition; microphone used to capture audio for voice recognition; touchscreen used to capture fingerprint or handprint data).

Regarding Claims 1, 3:
	These are the method claims corresponding to the system of claims 15, 17 respectively, and are therefore rejected for corresponding reasons.

Regarding Claims 8, 10:
	These are the non-transitory, computer-readable medium claims corresponding to the system of claims 15, 17 respectively, and are therefore rejected for corresponding reasons.

Regarding Claim 14:
Atherton in view of Poon and Baghdasaryan teaches the non-transitory, computer-readable medium of claim 8.  In addition, Atherton teaches wherein the service request is a payment request, and wherein authentication is identity authentication during payment (paragraph 37, the purpose of the biometric authorization process is to biometrically associate the consumer 100 with each product purchase made by the consumer 100; biometric authorization by the consumer 100 of a product purchase results in a biometrically authenticated product purchase request (including, among other things, the biometrically confirmed identity of the consumer 100 and details of the proposed purchase) being transferred over the network 103 to the Transaction Approval Center 104; the Transaction Approval Center 104 verifies the consumer's identity and determines whether the consumer 100 is approved to make the purchase (in terms of available credit, credit history, etc.); the Transaction Approval Center 104 then provides approval to the merchant 102 to proceed--or refuses the transaction if the consumer 100 is not approved to make the proposed purchase).

Regarding Claim 7: 
	This is the method claim corresponding to the non-transitory, computer-readable medium of claim 14, and is therefore rejected for corresponding reasons.

Claims 2, 6, 9, 13, 16, 20-23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Atherton in view of Poon and Baghdasaryan, and further in view of Soto et al (PGPUB 2004/0059924).

Regarding Claim 16:
Atherton in view of Poon and Baghdasaryan teaches the computer-implemented system of claim 15.
Neither Atherton nor Poon nor Baghdasaryan explicitly teaches wherein the operations further comprise generating and storing the digital signature certificate private key and the digital signature certificate public key, comprising: 

when the comparison shows that the second biometric authentication information is consistent with the preset biometric authentication information, generating the digital signature certificate private key and the digital signature certificate public key corresponding to the second biometric authentication information, and storing the digital signature certificate private key; 
after the registration request is digitally signed according to a first preset private key, generating a registration request message, wherein the registration request message includes the digital signature certificate public key; and 
sending the registration request message to the server configured to stores, after verifying and signing of the registration request message according to a first preset public key succeed, the digital signature certificate public key, wherein the first preset private key corresponds to the first preset public key.
However, Soto teaches the concept wherein operations comprise generating and storing a digital signature certificate private key and a digital signature certificate public key, including: 
receiving, by a terminal device, a registration request, and collecting second biometric authentication information of a user according to the registration request (paragraph 55, 60, enrollment process provided with user’s identifying information; after installation, user uses client software to login to BioPKI system using user ID, password, and Final-Enrollment-Key; user is prompted to enter biometric for collection); 
when a comparison shows that the second biometric authentication information is consistent with preset biometric authentication information, generating the digital signature certificate private key and the digital signature certificate public key corresponding to the second biometric authentication information, and storing the digital signature certificate private key (paragraph 60-61, user enters biometric for collection; collection is supervised to ensure that named user is the actual person supplying biometric sample, i.e. consistent with preset biometric authentication information; if collection results in successful creation of biometric template, user will be registered with system; this includes generating public/private key pair and creating digital certificate containing user’s identification information and public key); 
after the registration request is digitally signed according to a first preset private key, generating a registration request message, wherein the registration request message includes the digital signature certificate public key (paragraph 55-56, 61, user is registered with system; registration includes generating public/private key pair and creating digital certificate which is then provided to service; paragraph 8, digital certificates are encrypted, i.e. signed; public key used to decode certificate for verification; certificate therefore encrypted with private key); and 
sending the registration request message to the server configured to stores, after verifying and signing of the registration request message according to a first preset public key succeed, the digital signature certificate public key, wherein the first preset private key corresponds to the first preset public key (paragraph 8, 53-61, user is registered with system; registration includes generating public/private key pair and creating digital certificate which is then provided to service; paragraph 8, digital certificates are encrypted, i.e. signed; public key used to decode certificate for verification; certificate therefore encrypted with private key).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the certificate registration teachings of Soto with the biometric authentication system of Atherton in view of Poon and Baghdasaryan, in order to utilize secure public key infrastructure techniques which are well known in the art, such as signed certificates and biometric authentication, in order to register or update certificate information with a service provider.

Claim 20:
Atherton in view of Poon, Baghdasaryan, and Soto teaches the computer-implemented system of claim 16.  In addition, Soto teaches wherein sending the registration request message to the server comprises: 
verifying, by the user device, that the user is a valid user (paragraph 41, server includes registration process; entry of user’s account ID, password, and enrollment key via client); 
performing a check on an original payment password responsive to verifying that the user is a valid user (paragraph 41-42, server validates account ID, password, and enrollment key); and 
determining that the check is successful (paragraph 60-61, if user ID, password, and enrollment key matches stored information, user is prompted to enter biometric for collection; if collection is successful, user will be registered with system; registration includes creating and sending digital certificate to service (registration request message) with which user is intending to register); and
responsive to determining that the check is successful, sending the registration request message to the server (paragraph 60-61, if user ID, password, and enrollment key matches stored information, user is prompted to enter biometric for collection; if collection is successful, user will be registered with system; registration includes creating and sending digital certificate to service (registration request message) with which user is intending to register).
The rationale to combine Atherton and Soto is the same as provided for claim 16 due to the overlapping subject matter between claims 16 and 20.

Regarding Claim 23:
	Atherton in view of Poon, Baghdasaryan, and Soto teaches the computer-implemented system of claim 16.  In addition, Poon teaches wherein generating the digital signature certificate public key comprises generating the digital signature certificate public key corresponding to the ID of the user, the  (paragraph 226-227, Fig. 20, mobile device receives at least payment ID and supplementary ID and transmits to payment gateway; verification module verifies payment ID and supplemental ID and provides verification result; mobile device ID is generated and saved to mobile device; generation of private key is performed upon successful verification of payment ID and supplementary ID, and registration of mobile device ID; private key therefore corresponds to payment ID, mobile device ID, and result of comparison; paragraph 128, mobile device generates key pair, i.e. public and private key, during registration; public key corresponds to private key which corresponds to payment ID, mobile device ID, and result of comparison; paragraph 58-59, payment ID identifies user account; supplemental data includes biometric data and GPS data (i.e. location ID of a terminal device).
The rationale to combine Atherton and Poon is the same as provided for claim 16 due to the overlapping subject matter between claims 16 and 23.

Regarding Claims 2, 6, 21:
	These are the method claims corresponding to the system of claims 16, 20, 23 respectively, and are therefore rejected for corresponding reasons.

Regarding Claims 9, 13, 22:
	These are the non-transitory, computer-readable medium claims corresponding to the system of claims 16, 20, 23 respectively, and are therefore rejected for corresponding reasons.

Claims 5, 12, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Atherton in view of Poon, Baghdasaryan, and Soto, and further in view of Osotkraphun et al (PGPUB 2017/0277878).

Claim 19:
Atherton in view of Poon, Baghdasaryan, and Soto teaches the computer-implemented system of claim 16.  
Neither Atherton nor Poon nor Baghdasaryan nor Soto explicitly teaches wherein receiving the registration request and collecting the second biometric authentication information of the user according to the registration request comprises: 
sending, by the user device, the registration request to the server; 
receiving, from the server, a response message associated with the registration request; 
verifying and signing the response message; and 
after the verification and signature succeed, collecting the second biometric authentication information of the user.
However, Osotkraphun teaches the concept wherein receiving a registration request and collecting second biometric authentication information of a user according to the registration request comprises: 
sending, by a user device, the registration request to a server (paragraph 65, service providing unit transmits message of an authentication element registration request to authentication processing unit); 
receiving, from the server, a response message associated with the registration request (paragraph 71, authentication processing unit generates message of authentication element registration response); 
verifying and signing the response message (paragraph 73, verification unit performs verification process using assertion information received as message of authentication element registration response); and 
(paragraph 54, 73, authentication element is information for biometrics of the user and is information indicating individual biological feature of the user; when verification has succeeded, verification unit generates authentication element certificate and registers certificate in storage unit; paragraph 74, certificate includes authentication element identification information, and authentication assertion, and an authentication element registration assertion; certificate is biometric reference template certificate).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the biometric information collection and registration teachings of Osotkraphun with the biometric authentication system of Atherton in view of Poon, Baghdasaryan, and Soto, in order to provide a means of enrolling new users in a security system in a secure way, thereby increasing the installed security base, and preventing users from divulging sensitive information to unauthorized server devices.

Regarding Claim 5:
	This is the method claim corresponding to the system of claim 19, and is therefore rejected for corresponding reasons.

Regarding Claim 12:
	This is the non-transitory, computer-readable medium claim corresponding to the system of claim 19, and is therefore rejected for corresponding reasons.

Response to Arguments


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814.  The examiner can normally be reached on 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/Kevin Bechtel/Primary Examiner, Art Unit 2491