Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s preliminary amendment filed on 14 November 2019, wherein claims 1-25 have been canceled. Claims 26-50 have been added. Claims 26-50 remain pending. 

Information Disclosure Statement
4.	The Information Disclosure Statements respectfully submitted on 14 November 2019 and 19 May 2020 have been considered by the Examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

Claims 26-33 and 35-50 are rejected under 35 U.S.C. 103 as being unpatentable over Rongo et al. (Pub No. 2015/0121470) in view of Lu (Pub No. 2014/0189799).
Referring to the rejection of claim 26, Rongo et al. discloses a device operable in an Internet of Things (IoT) network, comprising: (See Rongo et al., para. 59 and Fig. 2A, i.e. configuration of an IoT device, item 200A)
communications circuitry; (See Rongo et al., para. 59 and Fig. 2A, i.e. transceiver used for wireless communications, item 206)
processing circuitry; (See Rongo et al., para. 59 and Fig. 2A, i.e. processor, item 208)
and at least one storage device including instructions embodied thereon, wherein the instructions, which when executed by the processing circuitry, (See Rongo et al., para. 59 and Fig. 2A, i.e. memory, item 212)
configure the processing circuitry to perform operations for user-authorized onboarding in the IoT network, the operations to: (See Rongo et al., para. 76 and Fig. 6, i.e. a process of onboarding with a first IoT device is disclosed)
obtain, from a first onboarding device via the communications circuitry, first information to perform a first onboarding action on the device, (See Rongo et al., para. 79 and Fig. 6, i.e. the first onboarding device to broadcast a configuration request message and send response message including access instructions to perform onboarding)
perform the first onboarding action on the device using the first information; (See Rongo et al., para. 79 and Fig. 6, i.e. the first onboarding action performed on the first IoT device using the response message transmitted for joining the IoT network using the set of connection instructions given by the second IoT device)
obtain, from a second onboarding device via the communications circuitry, second information to perform a second onboarding action on the device, wherein the second onboarding device is distinct from the first onboarding device; (See Rongo et al., para. 80-81 and Fig. 7, i.e. the second onboarding device to broadcast a configuration request message and transmits a response message including access instructions to perform onboarding)
and perform the second onboarding action on the device using the second information. (See Rongo et al., para. 81 and Fig. 7, i.e. the second onboarding action performed on the second IoT device using the response message transmitted for joining the IoT network using the security features such as SSID or passphrase to ensure that the first IoT device is permitted to access the second IoT device)
Rongo et al. fail to explicitly disclose wherein the first onboarding action is based on a first privilege level established from a first user authentication and a second privilege level established from a second user authentication. 
Lu discloses a method and system for enhanced security for limited access through multi-factor authorization to cloud computing resources.
Lu discloses the first and second privilege level established from a first and second user authentication first privilege level established from a first user authentication and a second privilege level established from a second user authentication. (See Lu, para. 44-55 and Figs. 5-6, i.e. the user authentication is performed by the authorization protocol known as OAuth 2.0 for requesting user permissions to onboard an IoT device and the user is authenticated and the authorization level of the user is verified before interacting with a resource)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Rongo et al.’s peer-to-peer onboarding of internet of things (IoT) devices over various communication interfaces modified with  Lu’s method and system for enhanced security for limited access through multi-factor authorization to cloud computing resources. 
Motivation for such an implementation would enable user authentication and verifying authorization of the user using the authorization protocol known as OAuth 2.0. (See Lu, para. 52) 

Referring to the rejection of claim 27, (Rongo et al. modified by Lu) discloses wherein the first and second onboarding actions are performed as part of a plurality of onboarding actions performed on the device, the plurality of onboarding actions including: connectivity, discovery, trust establishment, service provisioning, and device configuration actions. (See Rongo et al., para. 83-84)
Referring to the rejection of claim 28, (Rongo et al. modified by Lu) discloses wherein respective onboarding actions of the plurality of onboarding actions are performed on the device in response to approvals provided by a plurality of respective user agents; (See Rongo et al., para. 81) and wherein the respective user agents (See Rongo et al., para. 81)

Referring to the rejection of claim 29, (Rongo et al. modified by Lu) discloses initiate a first request of the first onboarding action to the first onboarding device, wherein the first information to perform the first onboarding action is provided in response to the first request; (See Rongo et al., para. 79) and initiate a second request of the second onboarding action to the second onboarding device, wherein the second information to perform the second onboarding action is provided in response to the second request. (See Rongo et al., para. 80-81) 
Referring to the rejection of claim 30, (Rongo et al. modified by Lu) discloses verify the first user authentication, based on the first information to perform the first onboarding action; (See Rongo et al., para. 79) and verify the second user authentication, based on the second information to perform the second onboarding action. (See Rongo et al., para. 81)
Referring to the rejection of claim 31, (Rongo et al. modified by Lu) discloses wherein the first onboarding action and the second onboarding action are conducted in response to respective user authentications obtained with a three-way authorization protocol, wherein the three-way authorization protocol includes obtainment of approval from at least one user agent and obtainment of approval from an authorization service on behalf of the respective onboarding device; (See Rongo et al., para. 81 and Fig. 7) (See Lu, para. 621-633 and Fig. 6)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 

Referring to the rejection of claim 32, (Rongo et al. modified by Lu) discloses the operations further to log information for the approval from the at least one user agent and log information for the approval from the authorization service to a blockchain ledger. (See Lu, para. 39, 43 and 84)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 

Referring to the rejection of claim 33, (Rongo et al. modified by Lu) discloses wherein the three-way authorization protocol includes: a request from the respective onboarding device to the user agent to obtain the approval, (See Lu, para. 55-58) a response from the user agent to indicate the approval, (See Lu, para. 59-61) a request from the respective onboarding device to the authorization service to obtain an authorization service token, (See Lu, para. 62) and a response from the authorization service to indicate the authorization service token; (See Lu, para. 63) and wherein information to perform the respective onboarding action includes information based on the authorization service token and the response from the user agent. (See Lu, para. 64-74)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 

(See Rongo et al., para. 59 and Fig. 2A, i.e. a IoT device, item 200A used for onboarding comprising one or more application programming instructions, item 206 executed with a processor, item 208 and a memory, item 212)
obtaining, from a first onboarding device, first information to perform a first onboarding action on the device, (See Rongo et al., para. 79 and Fig. 6, i.e. the first onboarding device to broadcast a configuration request message and send response message including access instructions to perform onboarding)
performing the first onboarding action on the device using the first information; (See Rongo et al., para. 79 and Fig. 6, i.e. the first onboarding action performed on the first IoT device using the response message transmitted for joining the IoT network using the set of connection instructions given by the second IoT device)
obtaining, from a second onboarding device, second information to perform a second onboarding action on the device, (See Rongo et al., para. 80-81 and Fig. 7, i.e. the second onboarding device to broadcast a configuration request message and transmits a response message including access instructions to perform onboarding)
and performing the second onboarding action on the device using the second information. (See Rongo et al., para. 81 and Fig. 7, i.e. the second onboarding action performed on the second IoT device using the response message transmitted for joining the IoT network using the security features such as SSID or passphrase to ensure that the first IoT device is permitted to access the second IoT device)
Rongo et al. fail to explicitly disclose wherein the first onboarding action is based on a first privilege level established from a first user authentication and a second privilege level established from a second user authentication. 
Lu discloses a method and system for enhanced security for limited access through multi-factor authorization to cloud computing resources.
Lu discloses the first and second privilege level established from a first and second user authentication first privilege level established from a first user authentication and a second privilege level established from a second user authentication. (See Lu, para. 44-55 and Figs. 5-6, i.e. the user authentication is performed by the authorization protocol known as OAuth 2.0 for requesting user permissions to onboard an IoT device and the user is authenticated and the authorization level of the user is verified before interacting with a resource)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 

Referring to the rejection of claim 36, (Rongo et al. modified by Lu) discloses further comprising: performing the first and second onboarding actions on the device as part of a plurality of onboarding actions performed on the device, the plurality of onboarding actions including: connectivity, discovery, trust establishment, service provisioning, and device configuration actions; (See Rongo et al., para. 83-84)
(See Rongo et al., para. 81)
Referring to the rejection of claim 37, (Rongo et al. modified by Lu) discloses wherein the respective user agents prompt user interaction to obtain the approvals for the plurality of onboarding actions from respective human users. (See Rongo et al., para. 81)
Referring to the rejection of claim 38, (Rongo et al. modified by Lu) discloses further comprising: initiating a first request of the first onboarding action to the first onboarding device, wherein the first information to perform the first onboarding action is provided in response to the first request; (See Rongo et al., para. 79) and initiating a second request of the second onboarding action to the second onboarding device, wherein the second information to perform the second onboarding action is provided in response to the second request. (See Rongo et al., para. 80-81)
Referring to the rejection of claim 39, (Rongo et al. modified by Lu) discloses further comprising: verifying the first user authentication, based on the first information to perform the first onboarding action; (See Rongo et al., para. 79) and verifying the second user authentication, based on the second information to perform the second onboarding action. (See Rongo et al., para. 80)
(See Rongo et al., para. 81 and Fig. 7)
and wherein the approval from the authorization service is received in an OAuth2, OpenID-Connect, or Kerberos interaction obtained on behalf of the at least one user agent. (See Lu, para. 621-633 and Fig. 6)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 

Referring to the rejection of claim 41, (Rongo et al. modified by Lu) discloses further comprising: logging information for the approval from the at least one user agent and log information for the approval from the authorization service to a blockchain ledger. (See Lu, para. 39, 43 and 84)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 

Referring to the rejection of claim 42, (Rongo et al. modified by Lu) discloses wherein the three-way authorization protocol includes: a request from the respective onboarding device to the user agent to obtain the approval, (See Lu, para. 55-58) a response from the user agent to indicate the approval, (See Lu, para. 59-61) a request from the respective onboarding device to the authorization service to obtain an authorization service token, (See Lu, para. 62) and a response from the authorization  (See Lu, para. 63) and wherein information to perform the respective onboarding action includes information based on the authorization service token and the response from the user agent. (See Lu, para. 64-74)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 
Referring to the rejection of claim 43, (Rongo et al. modified by Lu) discloses at least one non-transitory device-readable storage medium comprising instructions, wherein the instructions, when executed by a processing circuitry of a device, cause the processing circuitry to perform operations for user-authorized onboarding in an Internet of Things (IoT) network, with operations comprising: (See Rongo et al., para. 59 and 67 and Fig. 2A-3, i.e. a non-transitory device readable storage medium comprising instructions when executed by a processor, item 208 IoT device, and item 200A used for onboarding)
obtaining, from a first onboarding device, first information to perform a first onboarding action on the device, (See Rongo et al., para. 79 and Fig. 6, i.e. the first onboarding device to broadcast a configuration request message and send response message including access instructions to perform onboarding)
performing the first onboarding action on the device using the first information; (See Rongo et al., para. 79 and Fig. 6, i.e. the first onboarding action performed on the first IoT device using the response message transmitted for joining the IoT network using the set of connection instructions given by the second IoT device)

(See Rongo et al., para. 80-81 and Fig. 7, i.e. the second onboarding device to broadcast a configuration request message and transmits a response message including access instructions to perform onboarding)
and performing the second onboarding action on the device using the second information. (See Rongo et al., para. 81 and Fig. 7, i.e. the second onboarding action performed on the second IoT device using the response message transmitted for joining the IoT network using the security features such as SSID or passphrase to ensure that the first IoT device is permitted to access the second IoT device)
Rongo et al. fail to explicitly disclose wherein the first onboarding action is based on a first privilege level established from a first user authentication and a second privilege level established from a second user authentication. 
Lu discloses a method and system for enhanced security for limited access through multi-factor authorization to cloud computing resources.
Lu discloses the first and second privilege level established from a first and second user authentication first privilege level established from a first user authentication and a second privilege level established from a second user authentication. (See Lu, para. 44-55 and Figs. 5-6, i.e. the user authentication is performed by the authorization protocol known as OAuth 2.0 for requesting user permissions to onboard an IoT device and the user is authenticated and the authorization level of the user is verified before interacting with a resource)


Referring to the rejection of claim 44, (Rongo et al. modified by Lu) discloses the operations further comprising: performing the first and second onboarding actions on the device as part of a plurality of onboarding actions performed on the device, the plurality of onboarding actions including: connectivity, discovery, trust establishment, service provisioning, and device configuration actions; (See Rongo et al., para. 83-84)
wherein respective onboarding actions of the plurality of onboarding actions are performed on the device in response to approvals provided by a plurality of respective user agents. (See Rongo et al., para. 81)
Referring to the rejection of claim 45, (Rongo et al. modified by Lu) discloses wherein the respective user agents prompt user interaction to obtain the approvals for the plurality of onboarding actions from respective human users. (See Rongo et al., para. 81)
Referring to the rejection of claim 46, (Rongo et al. modified by Lu) discloses the operations further comprising: initiating a first request of the first onboarding action to the first onboarding device, wherein the first information to perform the first onboarding action is provided in response to the first request; (See Rongo et al., para. 79) and initiating a second request of the second onboarding action to the second onboarding device, wherein the second information to perform the second onboarding action is (See Rongo et al., para. 80-81)
Referring to the rejection of claim 47, (Rongo et al. modified by Lu) discloses the operations further comprising: verifying the first user authentication, based on the first information to perform the first onboarding action; (See Rongo et al., para. 79) and verifying the second user authentication, based on the second information to perform the second onboarding action. (See Rongo et al., para. 81)
Referring to the rejection of claim 48, (Rongo et al. modified by Lu) discloses wherein the first onboarding action and the second onboarding action are conducted in response to respective user authentications obtained with a three-way authorization protocol, wherein the three-way authorization protocol includes obtainment of approval from at least one user agent and obtainment of approval from an authorization service on behalf of the respective onboarding device; (See Rongo et al., para. 81 and Fig. 7) wherein the approval from the authorization service is received in an OAuth2 OpenID-Connect, or Kerberos interaction obtained on behalf of the at least one user agent. (See Lu, para. 621-633 and Fig. 6)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 
Referring to the rejection of claim 49, (Rongo et al. modified by Lu) discloses the operations further comprising: logging information for the approval from the at least one user agent and log information for the approval from the authorization service to a blockchain ledger. (See Lu, para. 39, 43 and 84)

Referring to the rejection of claim 50, (Rongo et al. modified by Lu) discloses wherein the three-way authorization protocol includes: a request from the respective onboarding device to the user agent to obtain the approval, (See Lu, para. 55-58) a response from the user agent to indicate the approval, (See Lu, para. 59-61) a request from the respective onboarding device to the authorization service to obtain an authorization service token, (See Lu, para. 62) and a response from the authorization service to indicate the authorization service token; (See Lu, para. 63) and wherein information to perform the respective onboarding action includes information based on the authorization service token and the response from the user agent. (See Lu, para. 64-74)
The rationale for combining Rongo et al. in view of Lu is the same as claim 26. 

Claim 34 is rejected under 35 U.S.C. 103 as being unpatentable over Rongo et al. (Pub No. 2015/0121470) in view of Lu (Pub No. 2014/0189799) as applied to claim 26 above, and further in view of Lee (Pub No. 2018/0063879). 
While the combination of Rongo et al. and Lu discloses peer-to-peer onboarding of internet of things (IoT) devices over various communication interfaces, neither reference explicitly disclose Open Connectivity Foundation (OCF) and Representational State Transfer (RESTful).
Lee et al. discloses an apparatus and method for interoperation between Internet-of-Things (IoT) devices for performing an endpoint discovery procedure 
Referring to the rejection of claim 34, (Rongo et al. and Lu modified by Lee) discloses wherein communications in the IoT network to perform the operations are conducted according to one or more Open Connectivity Foundation (OCF) specifications, (See Lee, para. 37-46) and wherein one or more of the communications comprise Representational State Transfer (RESTful) interactions among one or more IoT network topologies. (See Lee, para. 150 and 323)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Rongo et al.’s peer-to-peer onboarding of internet of things (IoT) devices over various communication interfaces and Lu’s method and system for enhanced security for limited access through multi-factor authorization to cloud computing resources modified with Lee et al.’s apparatus and method for interoperation between Internet-of-Things (IoT) devices for performing an endpoint discovery procedure between an Open Connectivity Foundation (OCF) and a Bluetooth Low Energy (BLE) device. 
Motivation for such an implementation would enable user authentication and verifying authorization of the user using the authorization protocol known as OAuth 2.0. (See Lu, para. 52) 
Motivation for such an implementation would enable an Internet-of-Things (IoT) device method using an IoT device using OCF specifications and RESTful interactions amongst IoT networks. (See Lee, para. 9-10)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871.  The examiner can normally be reached on IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/COURTNEY D FIELDS/Examiner, Art Unit 2436                                                                                                                                                                                                        July 09, 2021

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436