DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 8/13/2018. Claims 1-15 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/6/2018 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities:
In the “Abstract” section, there is extra “[Figure 2]” at the end, which is not needed.
Appropriate correction is required.

Claim Objections
Claims 2-5, 7-8, 10-12, and 14-15 are objected to because of the following informalities: 
Claims 2-5 recite “A method as claimed in claim 1…”, which should be “The
Claim 7 recites “An administration apparatus as claimed in claim 6, wherein the administration apparatus is provisioned with authorisation read and write to a security policy of a device.” The term “a device” has already been defined previously in the claim and should therefore be referred to using a definite article.
Claim 10 recites “A device as claimed in claim 9, the processor to…”. The term “the processor” should be “the device”. See claims 11 and 12.
Claim 11 recites “A device as claimed in claim 9, the device to: receive a certificate encoding an authorisation.” The term “a certificate” and “an authorisation” have already been defined previously in the claim and should therefore be referred to using a definite article.
Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) are: 
“An/the administration apparatus to: …” in claims 6 and 8.
Claims 6 and 8 are not rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite because the written description discloses the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Figure 3 shows apparatus comprising processor and memory.


If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 12 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 12 recites the limitation "the device to receive the certificate from the administration apparatus or a trusted signing authority apparatus" in the step. There is insufficient antecedent basis for this limitation “the administration apparatus” in the claim. Examiner suggests to change “administration device” in claim 9 to “administration apparatus” for consistency.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 9-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 

Claim 9 does not fall within at least one of the four categories of patent eligible subject matter because it recites “A device comprising a processor to:   ”, which is considered software per se. Applicant can amend the claim to include memory, which is considered hardware in security art; or specify a hardware processor instead.

A machine-readable storage medium encoded with instructions for providing a set of certificates encoding authorisations, the instructions executable by a processor of a trusted signing authority apparatus to cause the apparatus to:   ”, which is considered signal per se. Specification recites that “Such machine-readable instructions may be included on a computer readable storage medium (including but not limited to disc storage, CD-ROM, optical storage, etc.) having computer readable program codes therein or thereon”(¶23) as well as “ For example, the instructions may be provided on a non-transitory computer readable storage medium encoded with instructions, executable by a processor” (¶27). However, these two paragraphs of the specification only provide examples of a machine-readable storage medium, which is not claimed and also not defined as a hardware only or non-transitory medium. Applicant is suggested to amend the claim to recite “a non-transitory machine-readable storage medium”.

The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies.  Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the 

Claims 1-7 and 9-15 are rejected under 35 U.S.C. 103 as being unpatentable over Guo (US 20110247055 A1) in view of Edwards (US 20030023880 A1).

Regarding claim 1, Guo teaches a method for providing a set of certificates encoding authorisations, the method comprising:
processing authorisation requests at a trusted signing authority apparatus (FIG. 3 account authority server) to verify respective digital signatures applied to the requests, the authorisation requests received over a first communication link between the trusted signing authority apparatus and an administration apparatus (FIG. 3 secure server); ([0034-0035] FIG. 3: the user requests access to the secure server in a request operation 302; redirects the user to the account authority service for authentication in a redirection operation 304. The account authority service receives the redirected request in a receiving operation 306.) Here Guo discloses that the secure server is in a trust relationship with the account authority server, upon which it depends for authentication of users and devices (¶33, suggesting multiple); and “first communication link” is between account authority server/secure server. Language that suggests or makes a feature or step optional but does not require that feature or step does not limit the scope of a claim under the broadest reasonable claim interpretation, including statements of intended use, such as limitation “to verify respective digital signatures applied to the requests” in this claim. See MPEP 2103(I)(C).
validating one or more authorisation request parameters of the authorisation requests; account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.) Here level of privilege regarding account network resource the user is requesting is validated.
generating a certificate encoding an authorisation at the trusted signing authority apparatus; and ([0004] an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.) Certificate can be a type of security toke, according to FIG. 2, 212-216.
transmitting the generated certificate to the administration apparatus or a requesting apparatus over a second communication link. ([0036, 0039] the account authority service sends a security token to the user device in an operation 320. The user device receives the security token in receiving operation 322.) Here “second communication link” is between account authority server/user device.

Guo teaches providing certificates encoding authorisations for multiple users and devices, but does not explicitly teach processing respective ones of multiple authorisation requests at a trusted signing authority apparatus to verify respective digital signatures applied to the requests. This aspect of the claim is identified as a difference.
However, Edwards in an analogous art explicitly teaches processing respective ones of multiple authorisation requests at a trusted signing authority apparatus to verify respective digital signatures applied to the requests. ([0054] Using CRMF to transmit authorisation requests allows us to batch authorisation requests (multiple certification requests can be made in a single message).)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “trusted device-specific authentication” concept of Guo, and the “batch authorisation requests” approach of Edwards. One of ordinary skill in the art would have been motivated to perform such a modification to make management easier and more efficient by collecting multiple authorisation requests, batching together all certificates, validating them and issuing a single signed structure (Edwards [0119]).

Regarding claim 2, Guo in view of Edwards teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein an authorisation request parameter comprises an indication of a device’s desired entitlement to use a service. ([Guo 0004] an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. The level of privilege granted by the target account network resource can vary depending on the number and type of factors verified by the account authority service.) Here level of privilege regarding account network resource the user is requesting is the indication of device’s desired entitlement to use a service.

Regarding claim 3, Guo in view of Edwards teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein processing respective ones of multiple authorisation requests at the trusted signing authority apparatus to verify respective digital signatures applied to the requests further comprises verifying a digital signature of an authorisation request applied to the authorisation using a private key of a device public key pair. ([Edwards 0007] In ensure that the request has been generated by a holder of a private key associated with the public key.) Here the claim is interpreted in light of ¶8 of the specification “The requests for authorisation are tied to an identity of a device through a digital signature. This is done by signing the request with the private key of a device's public key pair.”
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “trusted device-specific authentication” concept of Guo, and the “public/private key encryption” approach of Edwards. One of ordinary skill in the art would have been motivated to perform such a modification to improve security by using cryptography to ensure that the request has been generated by a holder of a private key associated with the public key (Edwards [0007]).

Regarding claim 4, Guo in view of Edwards teaches all the features with respect to claim 1, as outlined above. The combination further teaches signing an identity certificate for a device. ([Guo 0030] FIG. 2: In a generation operation 212, the account authority service builds the device ID and public key into a device certificate and then signs the certificate using the account authority service's private key to bind the user device's public key to the device ID. In this manner, an entity wishing to confirm that the device ID belongs to the user device can then evaluate the certificate, using the account authority service's public key to verify its digital signature.)

Regarding claim 5, Guo in view of Edwards teaches all the features with respect to claim 1, as collating a set of generated certificates for transmission to the administration apparatus. ([Edwards 0119] batching together all certificates for a single user and validating them and issuing a single signed structure.)

Regarding claim 7, Guo in view of Edwards teaches all the features with respect to claim 6, as outlined above. The combination further teaches wherein the administration apparatus is provisioned with authorisation read and write to a security policy of a device. ([Guo 0004] an account authority service or other authentication provider verify both factors and provide a security token in accordance with the security policy of the account network resource the user is intending to access. [0013] the account authority service establishes and maintains these trust relationships with account network resources based on a combination of contractual agreements, such as terms of use, security policies, and cryptographic keys that protect the communications between the account authority service and each account network resource.) Here Guo discloses account authority service with “authorisation read” in ¶4 and “authorisation write” in ¶13.

Regarding claims 6 and 9-15, the scope of the claims are similar to that of claims 1, 3, and 5, respectively.  Accordingly, the claims are rejected using a similar rationale.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Guo (US 20110247055 A1) in view of Edwards (US 20030023880 A1) and Larrick (WO 2017053835 A1).

Regarding claim 8, Guo in view of Edwards teaches all the features with respect to claim 6, as outlined above. But the combination does not teach the administration apparatus to receive a 
However, Larrick in an analogous art explicitly teaches 
the administration apparatus to receive a certificate encoding an authorisation from the trusted signing authority apparatus; and ([0067] At block 544, the client proxy 210 receives certificate information from one or more certificate authorities 130a-b.)
transmit the certificate to the device. ([0069] At block 550, the client proxy 210 provides the certificate information to the computing device that requested the certificate information, such as client device 110a.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “trusted device-specific authentication” concept of Guo, and the “client proxy” approach of Larrick. One of ordinary skill in the art would have been motivated to perform such a modification, which will reduce complexities because certificate authorities only need to interface with dedicated client proxy, rather than various individual client device. In addition, performance can be improved since the client proxy caches at least a portion of the received certificate information for later use (Larrick [0068]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20150172064 A1, "Method and relay device for cryptographic communication", by Takenaka, teaches a relay device that is provided between a terminal and a server. The communication method includes: verifying a reliability of a server certificate that is 
US 20170288883 A1, "Certificate distribution using derived credentials", by Goverdhan, teaches distributing credentials using derived credentials, such as by relaying a simple certificate enrollment protocol (SCEP) payload. A computing device configures a device profile corresponding to a client device. The device profile can include a SCEP payload. The computing device later receives an override for the SCEP payload from a broker service. In response, the computing device creates a copy of the device profile that includes the override for the SCEP payload. The computing device then sends the copy of the device profile to the client device.
US 20140195800 A1, "Certificate Information Verification System", by Sabin, teaches receiving a request for certificate action, where the certificate action is defined to generate a new-certificate. Certificate contents on the request are checked against a certificate profile, where the request is received by a proxy system before being received by a certificate services system. Desired action is taken based on the results of the check. The method enables a proxy system for injecting certificate request flow and capturing the requests when the request is sent to a certificate services system such that the proxy system's primary function monitors the request to ensure that the request and resulting certificate actions are correct and properly configured, thus increasing security of the certificates for audit purposes by using separate servers within certificate authority (CA)'s system to host the proxy system without causing malicious 
US 20070094493 A1, "Digital certificate that indicates a parameter of an associated cryptographic token", by Ali, teaches obtaining a digital certificate that indicates a parameter of a cryptographic token associated with the digital certificate. The method further comprises associating a level of trust with the digital certificate based on the parameter of the cryptographic token.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer 

/H.Y./Examiner, Art Unit 2493


/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493