DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1-20 are pending.

Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/4/21 has been entered.
 
Allowable Subject Matter
3.	Claims 19-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.






Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
4.	Claims 1-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sherman, et al. [US 2006/005946] in view of Hockey, et al. [US 2017/0070500].
Claim 1:  	Sherman teaches a method comprising: 
in response to determining that a security certificate is necessary, transmitting a request to a certificate authority [Sherman: 0028; a digital certificate 232 may be issued to the client 124 by the registration/authentication system 102 of the registration/authentication system 102 or by a third party certification authority. Thus, a “certificate authority” can be given the broadest interpretation (BRI) as also a registration/authentication system], the request including an electronic identifier of an electronic device; [Sherman: 0003, 0009; an “electronic identifier” per the BR, as identification associated to a device, which can be in the form of a SecurID or password derived from a security token per se, that is used to identify the security token which is an electronic device. The token in this case may have been previously securely delivered to the client; 0037]
receiving, from the certificate authority, information to be used in generating an electronic record, the information including device-specific information and user-specific information [0029; The system 102 may create the binding 228 by recording data that associates a representation 226 of the digital certificate 232 with a representation 230 of the client. The representation 230 may be data representing the client's identity such a client's name, account information, and/or other client specific data. The binding 228 may be implemented by storing both representations 226 and 230 in a common location such as the client database. As discussed above, the SecureID or password from the security token can be an electronic identifier of a device which in turn can be device-specific information; 0037-0038. The claimed “device specific information” per the BRI, as any data associated or related to a device, e.g. identification, name, address, or a SecurID or password (from a security token). The claimed “user-specific information” per the BRI, as any data associated or related to a user or client per se, e.g. password, key, name, identification or an electronic identifier of a device per se], the information including device-specific information and user-specific information, and the information being identified by the certificate authority using the electronic identifier of the electronic device, the electronic identifier comprising a hash of the user-specific information generated by a hashing algorithm; [Sherman: 0026; (2) data representative of a client password (e.g., a complex password or a hash of a password), (3) data representative of a client public key (e.g., data representative of a client digital certificate (which includes a client public key) or a hash of the public key or a hash of the digital certificate), (4) data representative of an expiration date, relating to the binding of client identification data to data representative of a client public key (e.g., representative of a digital certificate) and (5) access records. Thus, the “hash of the user-specific information” per the BRI, as a hash of a client password or hash of a client public key]
generating the electronic record to comprise at least the electronic identifier and the information to be used in generating the electronic record [Sherman: 0029; system 102 may create the binding 228 by recording data that associates a representation 226 of the digital certificate 232 with a representation 230 of the client 124. The representation 226 of the digital certificate 232 may be, for example, data indicative of the digital certificate or the client public key contained in the digital certificate. The representation 226 may be a unique random string (e.g., produced by a hash of the digital certificate or the public key). The representation 230 of the client 124 may be data indicative of the client. The representation 230 may be data representing the client's identity such a client's name, account information, and/or other client specific data. As such, the record can broadly be recording data that associates a representation of the digital certificate, thus, represents the client’s identity which includes the security token (electronic identifier)], **the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information; [**as rejected under a secondary reference, further details below] 
signing at least a portion of the electronic record using a private key; [Sherman: 0047]
transmitting the electronic record to the certificate authority; and [Sherman: 0056] 
receiving access to the security certificate upon verification of the electronic record by the certificate authority. [Sherman: 0070]

Hockey discloses systems and techniques for enabling a user to securely authorize a third-party system to initiate transactions related to an account, without disclosing to the third-party system the account credentials and also includes automatic generation of electronic records that securely store account information. The electronic records include permission related to the account and the third-party and a token (e.g., a unique identifier associated with the electronic record, also as a "unique record identifier") may be shared with the third-party system [Hockey: 0009]. Hockey suggests “the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information” by suggesting specified format based on device or user specific information as a username associated with the user, a password associated with the user, and an external institution identifier and an mobile device identifier code, an mobile device authentication token, or a mobile device Media Access Control (MAC) address. Hockey also discloses to enhance the transaction data associated with the user to generate enhanced transaction data by augmenting, based on an analysis of the transaction data, a plurality of transaction data items of the transaction data with respective category labels and standardizing a format of the transaction data such that 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Hockey with Sherman to teach “the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information” for the reason to enable a user to securely authorize a third-party system to initiate transactions related to an account, without disclosing to the third-party system the account credentials and also automatic generation of electronic records that securely store account information.
Claim 2:  See Sherman: 0029; discussing the method of claim 1, wherein the security certificate is determined to be necessary upon detecting that a current security certificate has expired.
Claim 3:  See Sherman: 0028; discussing the method of claim 1, wherein the information to be used in generating the electronic record comprises at least a token.
Claim 4:  See Sherman: 0028; discussing the method of claim 3, wherein the token is mapped to account information for the electronic record.

Claim 6:  See Sherman: 0053; discussing the method of claim 1, wherein the security certificate is a secure sockets layer certificate.
Claim 7:  See Sherman: 0043; discussing the method of claim 1, wherein the method is performed by a webserver that hosts a website, and wherein the security certificate is associated with the website.
Claim 8:  See Sherman: 0041; discussing the method of claim 1, further comprising initiating a transaction by sending a transaction request to a resource provider that includes an indication of the security certificate and a request for a resource.
Claim 9:  See Sherman: 0056; discussing the method of claim 8, wherein the security certificate is associated with policy data that includes permissions for the transaction.
Claim 10:  See Sherman: 0056; discussing the method of claim 1, wherein receiving access to the security certificate comprises receiving a link or reference to the security certificate.
Claim 11:  	Sherman teaches an electronic device comprising, 
a processor, and [Sherman: 0024]
a memory coupled to the processor, the memory comprising code that, when executed by the processor [Sherman: 0024], causes the electronic device to: 
transmit a request to a certificate authority [Sherman: 0003, 0009; an “electronic identifier” per the BR, as identification associated to a device, which can be in the form of a SecurID or password derived from a security token per se, that is used to identify the security token which is an electronic device. The token in this case may have been previously securely delivered to the client; 0037], the request including an electronic identifier of the electronic device; [Sherman: 0028; a digital certificate 232 may be issued to the client 124 by the registration/authentication system 102 of the registration/authentication system 102 or by a third party certification authority. Thus, a “certificate authority” can be given the broadest interpretation (BRI) as also a registration/authentication system]
receive, from the certificate authority, information to be used in generating an electronic record, the information including device-specific information and user-specific information [0029; The system 102 may create the binding 228 by recording data that associates a representation 226 of the digital certificate 232 with a representation 230 of the client. The representation 230 may be data representing the client's identity such a client's name, account information, and/or other client specific data. The binding 228 may be implemented by storing both representations 226 and 230 in a common location such as the client database. As discussed above, the SecureID or password from the security token can be an electronic identifier of a device which in turn can be device-specific information; 0037-0038. The claimed “device specific information” per the BRI, as any data associated or related to a device, e.g. identification, name, address, or a SecurID or password (from a security token). The claimed “user-specific information” per the BRI, as any data associated or related to a user or client per se, e.g. password, key, name, identification or an electronic identifier of a device per se], and the information being identified by the certificate authority using the electronic identifier of the electronic device, the electronic identifier comprising a hash of the user-specific information generated by a hashing algorithm; [Sherman: 0026; (2) data representative of a client password (e.g., a complex password or a hash of a password), (3) data representative of a client public key (e.g., data representative of a client digital certificate (which includes a client public key) or a hash of the public key or a hash of the digital certificate), (4) data representative of an expiration date, relating to the binding of client identification data to data representative of a client public key (e.g., representative of a digital certificate) and (5) access records. Thus, the “hash of the user-specific information” per the BRI, as a hash of a client password or hash of a client public key] 
generate the electronic record to comprise at least the electronic identifier and the information to be used in generating the electronic record [Sherman: 0029; system 102 may create the binding 228 by recording data that associates a representation 226 of the digital certificate 232 with a representation 230 of the client 124. The representation 226 of the digital certificate 232 may be, for example, data indicative of the digital certificate or the client public key contained in the digital certificate. The representation 226 may be a unique random string (e.g., produced by a hash of the digital certificate or the public key). The representation 230 of the client 124 may be data indicative of the client. The representation 230 may be data representing the client's identity such a client's name, account information, and/or other client specific data. As such, the record can broadly be recording data that associates a representation of the digital certificate, thus, represents the client’s identity which includes the security token (electronic identifier)], **the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information; [**as rejected under a secondary reference, further details below]
sign at least a portion of the electronic record using a private key; [Sherman: 0030, 0047] 
transmit the electronic record to the certificate authority; and [Sherman: 0056]
receive a security certificate upon verification of the electronic record by the certificate authority. [Sherman: 0070]

Hockey discloses systems and techniques for enabling a user to securely authorize a third-party system to initiate transactions related to an account, without disclosing to the third-party system the account credentials and also includes automatic generation of electronic records that securely store account information. The electronic records include permission related to the account and the third-party and a token (e.g., a unique identifier associated with the electronic record, also as a "unique record identifier") may be shared with the third-party system [Hockey: 0009]. Hockey suggests “the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information” by suggesting specified format based on device or user specific information as a username associated with the user, a password associated with the user, and an external institution identifier and an mobile device identifier code, an mobile device authentication token, or a mobile device Media Access Control (MAC) address. Hockey also discloses to enhance the transaction data associated with the user to generate enhanced transaction data by augmenting, based on an analysis of the transaction data, a plurality of transaction data items of the transaction data with respective category labels and standardizing a format of the transaction data such that 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Hockey with Sherman to teach “the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information” for the reason to enable a user to securely authorize a third-party system to initiate transactions related to an account, without disclosing to the third-party system the account credentials and also automatic generation of electronic records that securely store account information.
Claim 12:  See Sherman: 0024; discussing the electronic device of claim 11, wherein the electronic device is a machine-to-machine device.
Claim 13:  See Sherman: 0032; discussing the electronic device of claim 12, wherein the code further causes the electronic device to, upon detecting that a resource used in a primary function of the machine-to-machine device is required, transmit a request for the resource to a resource provider that offers the resource, the request comprising the security certificate.

Claim 15:  See Sherman: 0030; discussing the electronic device of claim 11, wherein the request is transmitted to the certificate authority at an address stored in the memory.
Claim 16:  See Sherman: 0024; discussing the electronic device of claim 11, wherein the code is executed by the processor without user interaction.
Claim 17:  See Sherman: 0024; discussing the electronic device of claim 11, wherein the processor and the memory are included on an integrated circuit.
Claim 18:  	Sherman teaches a certification authority network comprising: 
a record of electronic records; and 
a plurality of nodes, each of the plurality of nodes including instructions that, when executed, cause the node to: 
receive a request for a security certificate from an electronic device [Sherman: 0003, 0009; an “electronic identifier” per the BR, as identification associated to a device, which can be in the form of a SecurID or password derived from a security token per se, that is used to identify the security token which is an electronic device. The token in this case may have been previously securely delivered to the client; 0037], the request including an electronic identifier of the electronic device; [Sherman: 0028; a digital certificate 232 may be issued to the client 124 by the registration/authentication system 102 of the registration/authentication system 102 or by a third party certification authority. Thus, a “certificate authority” can be given the broadest interpretation (BRI) as also a registration/authentication system]
provide, to the electronic device, information to be used in generating an electronic record [Sherman: 0029; system 102 may create the binding 228 by recording data that associates a representation 226 of the digital certificate 232 with a representation 230 of the client 124. The representation 226 of the digital certificate 232 may be, for example, data indicative of the digital certificate or the client public key contained in the digital certificate. The representation 226 may be a unique random string (e.g., produced by a hash of the digital certificate or the public key). The representation 230 of the client 124 may be data indicative of the client. The representation 230 may be data representing the client's identity such a client's name, account information, and/or other client specific data. As such, the record can broadly be recording data that associates a representation of the digital certificate, thus, represents the client’s identity which includes the security token (electronic identifier)], the information including device-specific information and user-specific information, the generated electronic record comprising at least an electric identifier [0029; The system 102 may create the binding 228 by recording data that associates a representation 226 of the digital certificate 232 with a representation 230 of the client. The representation 230 may be data representing the client's identity such a client's name, account information, and/or other client specific data. The binding 228 may be implemented by storing both representations 226 and 230 in a common location such as the client database. As discussed above, the SecureID or password from the security token can be an electronic identifier of a device which in turn can be device-specific information; 0037-0038. The claimed “device specific information” per the BRI, as any data associated or related to a device, e.g. identification, name, address, or a SecurID or password (from a security token). The claimed “user-specific information” per the BRI, as any data associated or related to a user or client per se, e.g. password, key, name, identification or an electronic identifier of a device per se], **the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information [**as rejected under a secondary reference, further details below], the information being identified using the electronic identifier of the electronic device, the electronic identifier comprising a hash of the user-specific information generated by a hashing algorithm; [Sherman: 0026; (2) data representative of a client password (e.g., a complex password or a hash of a password), (3) data representative of a client public key (e.g., data representative of a client digital certificate (which includes a client public key) or a hash of the public key or a hash of the digital certificate), (4) data representative of an expiration date, relating to the binding of client identification data to data representative of a client public key (e.g., representative of a digital certificate) and (5) access records. Thus, the “hash of the user-specific information” per the BRI, as a hash of a client password or hash of a client public key] 
receive, from the electronic device, the generated electronic record including at least a signature portion; [Sherman: 0047] 
identify a public key associated with the electronic device; [Sherman: 0047] 
verify the signature portion of the generated electronic record using the public key; and  [Sherman: 0056]
upon verifying the signature portion of the generated electronic record, appending the generated electronic record to the record of electronic records. [Sherman: 0056, 0070]
Sherman (as explained above) discloses “generating the electronic record to comprise at least the electronic identifier and the information to be used in generating the electronic record” [Sherman: 0029, 0041]. However, Sherman did not clearly teach “the electric identifier generated according to a specified format based on the 
Hockey discloses systems and techniques for enabling a user to securely authorize a third-party system to initiate transactions related to an account, without disclosing to the third-party system the account credentials and also includes automatic generation of electronic records that securely store account information. The electronic records include permission related to the account and the third-party and a token (e.g., a unique identifier associated with the electronic record, also as a "unique record identifier") may be shared with the third-party system [Hockey: 0009]. Hockey suggests “the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information” by suggesting specified format based on device or user specific information as a username associated with the user, a password associated with the user, and an external institution identifier and an mobile device identifier code, an mobile device authentication token, or a mobile device Media Access Control (MAC) address. Hockey also discloses to enhance the transaction data associated with the user to generate enhanced transaction data by augmenting, based on an analysis of the transaction data, a plurality of transaction data items of the transaction data with respective category labels and standardizing a format of the transaction data such that the enhanced transaction data may be provided by the computer system in the normalized format [Hockey: 0055]. As such, motivation for “the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information”, 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Hockey with Sherman to teach “the electric identifier generated according to a specified format based on the information, the specific format being particular to the device-specific information or user-specific information” for the reason to enable a user to securely authorize a third-party system to initiate transactions related to an account, without disclosing to the third-party system the account credentials and also automatic generation of electronic records that securely store account information.
Claim 19:  Objected
Claim 20:  Objected

Response to Arguments
5.	Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEYNNA TRUVAN whose telephone number is (571)272-3851.  The examiner can normally be reached on Monday-Friday 8:00AM-5:00PM,EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


LEYNNA T TRUVAN
Examiner
Art Unit 2435





/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435