DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant argues that the prior art, Weiss, does not disclose how the attestation server receives an attestation request that comprises a list of attestation methods supported on a mobile device. Examiner disagrees and maintains that the prior art, Weiss discloses this limitation in Claim 1, in paragraph 0033, which discloses that the attestation server conducts various kinds of tests on the user computer, and computes an attestation result (trustworthiness level/rank). Also, Weiss discloses in Para. 0044, that the attestation server may conduct any suitable test for assessing the trustworthiness of the user computer or parts thereof (e.g., the trustworthiness of the TOE, if one is used). For example, the attestation server may request the user computer to provide information related to specific elements of the computer, e.g., information related to the configuration of the user computer. Also, in the “Background of the Invention,” of Weiss, it is noted that computers provided a set (plurality) of information to perform aggregation integrity checks by a server. 
Applicants arguments with respect to the claim 6 103 rejection regarding the prior art, Cha, have been fully considered and are persuasive. Therefore the rejection of claim 6 under Cha is withdrawn.  However, claim 6 is now rejected in view of new reference Sondhi et al. US 20150089622.  See 103 rejection below.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 24 recites the limitation "The method of claim 6, wherein the list of authentication methods is determined from a scope of the OAuth Authorization request.”  There is insufficient antecedent basis for this limitation in the claim. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1, 3-5, 8-9, 11-15, 17-19, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Weiss (US 20130276081) in view of Acar (US 20170155513).
As per claims 1, 13 and 17, Weiss discloses a method for attesting to the integrity of a mobile device, the method comprising: 
sending an attestation request from the mobile device to a device attestation server (Weiss, Fig. 2, element 80, Para. 0044, attestation server 36 performing attestation tests on a given user computer 24, at a testing step 80. The attestation server may conduct any suitable test for assessing the trustworthiness of the user computer or parts thereof; Also, Para. 0058, the user computer initiating an attestation session with a certain attestation server) wherein the attestation request comprises a list of attestation methods supported on the mobile device (Weiss, Para. 0044, the attestation server may conduct any suitable test for assessing the trustworthiness of the user computer or parts thereof…. For example, the attestation server may request the user computer to provide information related to specific elements of the computer, e.g., information related to the configuration of the user computer.);
 running at the device attestation server an attestation method supported by the mobile device (Weiss, Para. 0033, the attestation server conducts various kinds of tests on the user computer, and computes an attestation result (e.g., a trustworthiness level or trust rank). The attestation server sends the attestation result to the user computer, which stores it locally. The attestation result stored in the user computer may be signed and/or encrypted in order to ensure its authenticity.); 
performing a validation method using the attestation [token] (Weiss, Para. 0049, in some embodiments, each attestation server has a unique security certificate, which is signed by a common Certification Authority (CA). Such a CA is often referred to as an attestation CA. The attestation server may sign the attestation record with this unique certificate; para 0053, data center validator processes the attestation results).
Weis discloses the attestation server generating an attestation record and the attestation server sending the attestation results to the user computer. See para 0048.  Weis does not disclose; however, Acar discloses creating an attestation token at the device attestation server, the attestation token including a validation result and a plurality of attributes (Acar, Para.0042-0043, The TPM circuit acquires the attestation certificate (“attestation token”) after providing the TPM public key, the user token, and the device token to the attestation certificate provider. If the information provided to the attestation certificate (“attestation token”) provider withstands scrutiny at the provider (e.g., achieves a desired level of trust), then the attestation certificate is provided to the apparatus. Acquiring the attestation certificate provides information that the apparatus can provide to other entities (e.g., LUK provider) that will facilitate achieving a desired level of trust. ); 
sending the attestation token to the mobile device (Acar, Para. 0043, The TPM circuit acquires the attestation certificate (“attestation token”) after providing the TPM public key, the user token, and the device token to the attestation certificate (“attestation token”) provider. If the information provided to the attestation certificate (“attestation token”) provider withstands scrutiny at the provider (e.g., achieves a desired level of trust), then the attestation certificate (“attestation token”) is provided to the apparatus (“mobile device”). Acquiring the attestation certificate (“attestation token”) provides information that the apparatus (“mobile device”) can provide to other entities (e.g., LUK provider) that will facilitate achieving a desired level of trust. )); and

As per claim 3, Weiss discloses the method of claim 1, wherein the step of running at the device attestation server an attestation method supported by the mobile device comprises determining, at the device attestation server, which attestation methods are supported by the mobile device (Weiss, Para. 0044, performing attestation tests on a given user computer. The attestation server may conduct any suitable test for assessing the trustworthiness of the user computer or parts thereof (e.g., the trustworthiness of the TOE, if one is used). For example, the attestation server may request the user computer to provide information related to specific elements of the computer, e.g., information related to the configuration of the user computer. Typically, the attestation server requests information that has been generated by TPM of the user computer.). 
As per claim 4, Weis discloses the method of claim 1, wherein the validation result is calculated using the result of the attestation method (Weiss, Para. 0044, performing attestation tests on a given user computer. The attestation server may conduct any suitable test for assessing the trustworthiness of the user computer or parts thereof (e.g., the trustworthiness of the TOE, if one is used). For example, the attestation server may request the user computer to provide information related to specific elements of the computer, e.g., information related to the configuration of the user computer. Typically, the attestation server requests information that has been generated by TPM of the user computer; Para. 0047, the attestation server computes a trust rank of the user computer, at a rank computation. The trust rank, which is viewed as an example of an attestation result, comprises a numerical value that quantifies the level of trust attributed by the attestation server to the user computer.  Para. 0049, in some embodiments, each attestation server has a unique security certificate, which is signed by a common Certification Authority (CA). Such a CA is often referred to as an attestation CA. The attestation server may sign the attestation record with this unique certificate.), a confidence level of the result of the attestation method (Weiss, Para. 0025, attestation server has assessed the trustworthiness level of a given user computer, the attestation server produces a record indicating the trustworthiness level; Also, Para. 0044, The attestation server may conduct any suitable test for assessing the trustworthiness of the user computer or parts thereof), and the attestation method (Weiss, Para. 0044, the attestation server may request the user computer to provide information related to specific elements of the computer, e.g., information related to the configuration of the user computer). 
As per claims 5 and 19, Weis as modified by Acar discloses the method of claim 1, wherein the step of performing the validation method further comprises sending the attestation token together with an access request to an application server interface (Acar, Para. 0043, The TPM circuit acquires the attestation certificate (“attestation token”) after providing the TPM public key, the user token, and the device token to the attestation certificate provider. If the information provided to the attestation certificate provider withstands scrutiny at the provider (e.g., achieves a desired level of trust), then the attestation certificate is provided to the apparatus. Acquiring the attestation certificate provides information that the apparatus can provide to other entities (e.g., LUK provider) that will facilitate achieving a desired level of trust. Also, Weis, Para. 0053, In order to enable the data center to verify the trustworthiness of the user computer, the user computer provides its latest attestation record to validator 68 of the data center, at a record forwarding step 100. The data center validator processes the attestation results and decides whether to regard the user computer as trustworthy or not, at a trust decision). 
Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teaching of Acar with the system and method of Weiss given the benefit of providing the attestation results in a secure structured and standard format comprising additional attributes related to the results. 
As per claims 8, 14, and 18, Weiss discloses the method of claim 1, wherein the plurality of attributes comprises one or more of a timestamp, an expiration date, an indication of the attestation method used, a confidence level, an identity of the mobile device, and token binding information (Weiss, Para. 0051-0052, the attestation server may add to the attestation record a time stamp, indicating the time at which the attestation results were calculated. Additionally or alternatively, the attestation server may receive from the user computer a unique identifier of the computer at the beginning of the attestation test procedure.). 
As per claims 9 and 15, Weis discloses the method of claim 1, wherein the step of creating the attestation token further comprises signing the attestation token (Weis, Para. 0049, The attestation server may sign the attestation record with this unique certificate, or with any other suitable secure signature.). 
As per claim 11, Weis discloses the method of claim 1, wherein the attestation token includes a signature, and wherein the step of validating the attestation token at the (Weis, Para. 0049, The attestation server may sign the attestation record with this unique certificate, or with any other suitable secure signature; Also, Para. 0052, the attestation server may include in the attestation record any other suitable information that assists in attesting the trustworthiness of the user computer.). 
As per claim 12, Weiss discloses the method of claim 1, wherein the step of running an attestation method comprises checking memory to determine a status of the mobile device (Weiss, Para. 0033, the attestation server conducts various kinds of tests on the user computer; para 0045, “attestation server may request the user computer to provide its BIOS signature, and compare it to a list of known and legitimate BIOS signatures”; para 0060, “attestation server verifies that the two separately-provided counter values match.”) 
As per claim 21, Weis does not disclose; however, Acar discloses the method of claim 5, wherein the application server interface includes an identity management (IdM) server, the method further comprising: 
issuing, by the IdM server, at least one of cookies, tokens, or assertions to the mobile device in response to determining an attestation status of the mobile device, the attestation status indicating validity of the attestation token (Acar, Fig 2, Para. 0018-0020, The TPMpub, user token, device token, and AIK may be provided to an attestation certificate provider that will selectively return an attestation certificate. Similarly, The TPMpub, user token, device token, and EK may be provided to an endorsement certificate provider that will selectively return an endorsement certificate. Upon validating the information provided in the LUK request, the LUK provider 200 may provide an encrypted LUK to the operating system. The encrypted LUK will be encrypted with the TPMpub key provided with the LUK request. If the authentication succeeds, then the TPM may decrypt the encrypted LUK to produce materials that will be used to conclude the transaction.). 
Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teaching of Acar with the system and method of Weiss given the benefit of providing the attestation results in a secure structured and standard format comprising additional attributes related to the results. 
As per claim 22, Weis does not disclose; however, Acar discloses the method of claim 5, wherein the application server interface includes an identity management (IdM) server, the method further comprising: 
issuing, by the IdM server, an access token embedded with an attestation status indicating validity of the attestation token (Acar, Fig 2, Para. 0018-0020, The TPMpub, user token, device token, and AIK may be provided to an attestation certificate provider that will selectively return an attestation certificate. Similarly, The TPMpub, user token, device token, and EK may be provided to an endorsement certificate provider that will selectively return an endorsement certificate. Upon validating the information provided in the LUK request, the LUK provider 200 may provide an encrypted LUK to the operating system. The encrypted LUK will be encrypted with the TPMpub key provided with the LUK request. If the authentication succeeds, then the TPM may decrypt the encrypted LUK to produce materials that will be used to conclude the transaction.).
Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teaching of Acar with the system and 
As per claim 23, Weis does not disclose; however, Acar discloses the method of claim 22, further comprising: 
processing, by an application server, the attestation status to make an access decision in response to the access request (Acar, Para. 0046, Once the apparatus has the user token, the device token, the attestation certificate, the endorsement certificate, and an LUK, the apparatus 500 is ready to be used for a purchase or other transaction. Upon authenticating the credential, the TPM circuit decrypts the LUK using the TPM private key. The credential acquired from the user may be, for example, a PIN or a biometric value (e.g., fingerprint, iris). The TPM circuit decrypts the LUK independent of the credential.). 
Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teaching of Acar with the system and method of Weiss given the benefit of providing the attestation results in a secure structured and standard format comprising additional attributes related to the results.  
Claims 6 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Weiss (US 20130276081) in view of Acar (US 20170155513) in view of Sondhi (US 20150089622).
As per claim 6, Weis and Acar do not disclose; wherein the step of sending an attestation request from the mobile device to a device attestation server is triggered by an OAuth Authorization request to an IdM server.  Sondhi discloses an OAuth service comprising an OAuth authorization request to an IdM server (Sondhi, Para. 0047, user consent from resource owner 202 is required in order for OAuth authorization server 220 to grant an access token to client application 204. If client application 204 requests access to a particular resource (or a particular scope including that resource) from resource server 210, then resource server 210 may redirect the request to OAuth authorization server 220. OAuth authorization server 220 may invoke user consent orchestration 226 in order to ask resource owner 202 to verify that client application 204 should be granted access to the particular resource (or particular scope); para 0092, in response to receiving the token request, the OAuth authorization server selects … a particular URL that is mapped to the particular identity domain in which the client application resides … the OAuth authorization server requests scope information from the resource server … the resource server … selects … a particular authorization policy that is mapped to the particular identity domain”). 
Weiss discloses it is important to verify that a user computer with which a platform interacts is trustworthy to verify that the user computer is not infected by a virus, an impersonation attack or other security risk. See Weiss, para 0024 and 0032.  Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to combine the system and method of Sondhi with the system and method of Weis and Acar given the benefit of ensuring the trustworthiness of a mobile device participating in an OAuth service. 
As per claim 24, Weis, Acar, do not disclose; however, Sondhi discloses the method of claim 6, wherein the list of authentication method is determined from a scope of the OAuth Authorization request (Sondhi, Para. 0065, Each resource server's set of authorization policies may differ from each other resource server's set of authorization policies. The authorization policies for one tenant may differ from the authorization policies for another tenant; Also, Para. 0090, tenants can "plug in" desired authorization policies to the OAuth authorization system by configuring those authorization policies within the resource servers deployed to their identity domain; ); para 0092, in response to receiving the token request, the OAuth authorization server selects … a particular URL that is mapped to the particular identity domain in which the client application resides … the OAuth authorization server requests scope information from the resource server … the resource server … selects … a particular authorization policy that is mapped to the particular identity domain”; Para. 0096, The OAuth authorization server determines an identity of a user based on the token request. The OAuth authorization server determines a scope of access based on the token request. The OAuth authorization retrieves, from a repository, values of the configuration-specified attributes for the identified user; Also, Para. 0100, the OAuth authorization server locates a particular mapping (e.g., the first mapping or the second mapping) that specifies the particular client application type. In block 914, the OAuth authorization server determines a particular URL (e.g., the first URL or the second URL) that is specified in the particular mapping. In block 916, the OAuth authorization server forwards the user authentication request to a particular plug-in (e.g., the first plug-in or the second plug-in) that is located at the particular URL). 
Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to combine the system and method of Sondhi with the system and method of Weis and Acar given the benefit of ensuring the trustworthiness of a mobile device participating in an OAuth service.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Weiss (US 20130276081) in view of Acar (US 20170155513) in view of Poornachandran (US 20120167188).
As per claim 7, Weis and Acar do not disclose; however, Poornachandran discloses the method of claim 1, wherein the step of sending an attestation request from the mobile device to a device attestation server is sent by a user agent on the mobile device (Poornachandran, Para. 0029, Master authentication agent recognizes the need for user identity attestation and causes the user identity attestation module user interface to appear in response to other user interactions with the mobile device, such as a request to log in or to initiate a transaction.) 
Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teaching of Poornachandran with the system and method of Weiss and Acar given the benefit of performing user identity attestation in mobile commerce for ensuring the security of transactions on a mobile device. 
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Weiss (US 20130276081) in view of Acar (US 20170155513) in view of Zhang (US 20170142108).
As per claim 10, Weiss and Acar do not disclose; however, Zhang discloses the method of claim 9, wherein the signed token is of the JSON Web Signature (JWS) format (Zhang, Para. 0056, JSON Web Signature (JWS)). 
Therefore, it is obvious to one ordinary skilled in the art before the effective filing date of the claimed invention to incorporate the teaching of Zhang with the system and .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Anderson (US 20110125894): The system and method for intelligent workload management described herein may include a computing environment having a model-driven, service-oriented architecture for creating collaborative threads to manage workloads, wherein the management threads may converge information for managing identities and access credentials, enforcing policies, providing compliance assurances, managing provisioned and requested services, and managing physical and virtual infrastructure resources.
Jorgensen (US 20110209064): The system and method described herein may identify one or more virtual desktop extensions available in a cloud computing environment and launch virtual machine instances to host the available virtual desktop extensions in the cloud. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANGELA R HOLMES whose telephone number is (571)270-3357.  The examiner can normally be reached on Monday-Friday 8:00AM-4:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ANGELA R HOLMES/Examiner, Art Unit 2498                


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439