DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Claims 30, 39 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 43-45 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 
The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claims 43-45 are directed towards a “device-readable storage medium.” According to the ordinary and customary usage in the art, a device-readable storage medium encompasses transitory media such as signals which store data temporarily. Accordingly, claims 43-45 are not directed towards one the four statutory categories. See MPEP § 2106.03(I). 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 26, 27, 29, 31, 33, 34, 36-38, 41, 43-47, and 49 is/are rejected under 35 U.S.C. 103 as being unpatentable over Askar (US 10,979,299) in view of Kuperman et al. (US 2018/0278584), hereafter “Kuperman.”
Regarding claim 26, Askar teaches a server device (Askar: 440 of FIG. 4), comprising: 	processing circuitry (Askar: col. 7 lines 14-43); and 	communication circuitry to receive, from a client device via an intermediary device, a proof of possession token generated by an authentication service on behalf of the client device (Askar: 5, 7 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	a memory device including instructions embodied thereon, wherein the instructions, when executed by the processing circuitry, configure the processing circuitry to perform operations to (Askar: col. 7 lines 14-43): 	access a credential resource for the intermediary device (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]);The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	grant access to the resource based on a request for the resource from the client device (Askar: 10 of FIG. 4; col. 12 lines 49-64).	Askar does not teach:	access an access control list including a client access control entry for a resource designated accessible to the client device, based on information in the proof of possession token.	Kuperman teaches: 	access an access control list including a client access control entry for a resource designated accessible to a client device, based on information in a proof of possession token (Kuperman: 218 of FIG. 3; par 0045).	It would have been obvious to one of ordinary skill in the art to implement the access control list of Kuperman within the Askar system with predictable results. One would be motivated to make the combination to enhance the security of the system such that malicious clients are excluded from access. One would further be motivated to make the combination because both Kuperman and Askar relate to providing remote access to Internet of Things (IoT) devices (Kuperman: par 0024). Accordingly, it would 

Regarding claim 27, the server device of claim 26, wherein the proof of possession token is end to end encrypted from the client device to the server device, preventing the intermediary device from accessing data of the proof of possession token (Kuperman: par 0022; Askar: col. 12 lines 60-65). 

Regarding claim 29, the server device of claim 26, wherein the intermediary device is trusted by the server device, and wherein the proof of possession token identifies the server device as an intended audience, wherein in response to identifying the server device as the intended audience, the intermediary device is caused to forward the proof of possession token to the server device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).

Regarding claim 31, the server device of claim 26, wherein the proof of possession token identifies the server device and the client device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).



Regarding claim 34, the server device of claim 26, wherein to access the access control list, the processing circuitry is to search the access control list for the client device (Kuperman: par 0050). 

Regarding claim 36, a method, comprising a plurality of operations executed with a processor and memory of a server device (Askar: 440 of FIG. 4), the operations comprising:	receiving, via communication circuitry, from a client device via an intermediary device, a proof of possession token generated by an authentication service on behalf of the client device (Askar: 5, 7 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	accessing a credential resource for the intermediary device (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	verifying the intermediary device is a valid intermediary for the client device using the credential resource (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	accessing an access control list, the access control list including a client access control entry for a resource designated accessible to the client device, based on information in the proof of possession token (Kuperman: 218 of FIG. 3; par 0045); and 	granting access to the resource based on a request for the resource from the client device (Askar: 10 of FIG. 4; col. 12 lines 49-64).

Regarding claim 37, the method of claim 36, wherein the proof of possession token is end to end encrypted from the client device to the server device, preventing the intermediary device from accessing data of the proof of possession token (Kuperman: par 0022; Askar: col. 12 lines 60-65).

Regarding claim 38, the method of claim 36, wherein the intermediary device is trusted by the server device, and wherein the proof of possession token identifies the server device as an intended audience, wherein in response to identifying the server device as the intended audience, forwarding, from the intermediary device, the proof of possession token to the server device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).

Regarding claim 41, the method of claim 36, further comprising: 	performing an operation to receive a message from the client device via the …the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]; col. 12 lines 60-65); and 	determining that the access control list identifies the resource as being available to the client device in response to processing the message (Kuperman: 218 of FIG. 3; par 0045). 

Regarding claim 43, a device-readable storage medium (Askar: col. 7 lines 14-43) including instructions, wherein the instructions, when executed by a processing circuitry of a server device (Askar: 440 of FIG. 4), cause the processing circuitry to: 	receive, via communication circuitry, from a client device via an intermediary device, a proof of possession token generated by an authentication service on behalf of the client device (Askar: 5, 7 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	access a credential resource for the intermediary device (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	verify the intermediary device is a valid intermediary for the client device using the credential resource (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 

Regarding claim 44, the device-readable storage medium of claim 43, wherein the proof of possession token is end to end encrypted from the client device to the server device, preventing the intermediary device from accessing data of the proof of possession token (Kuperman: par 0022; Askar: col. 12 lines 60-65). 

Regarding claim 45, the device-readable storage medium of claim 43, wherein the intermediary device is trusted by the server device, and wherein the proof of possession token identifies the server device as an intended audience, wherein in response to identifying the server device as the intended audience, forwarding, from the intermediary device, the proof of possession token to the server device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).

Regarding claim 46, a system, comprising:	a server device (Askar: 440 of FIG. 4) including: 	processing circuitry (Askar: col. 7 lines 14-43); and …the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	a memory device including instructions embodied thereon, wherein the instructions, when executed by the processing circuitry, configure the processing circuitry to perform operations to (Askar: col. 7 lines 14-43): 	access a credential resource for the intermediary device (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	verify the intermediary device is a valid intermediary for the client device using the credential resource (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	access an access control list, the access control list including a client access control entry for a resource designated accessible to the client device, based on information in the proof of possession token (Kuperman: 218 of FIG. 3; par 0045); and 	grant access to the resource based on a request for the resource from the client device (Askar: 10 of FIG. 4; col. 12 lines 49-64).

Regarding claim 47, the system of claim 46, wherein the system further comprises the intermediary device to: …the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	identify the server device as an intended audience from information in the proof of possession token (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	identify, in an audience access control entry, an identifier of the server device (Kuperman: 218 of FIG. 3; par 0045); and 	forward the proof of possession token to the server device using the identifier (Askar: 10 of FIG. 4; col. 12 lines 49-64). 

Regarding claim 49, the system of claim 46, wherein the system further comprises the client device to: 	generate the proof of possession token and a message requesting the resource (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]);	send the proof of possession token and the message to the intermediary device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); and

Claim 28 is rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), and further in view of Choyi et al. (US 2017/0012778), hereafter “Choyi.”
Regarding claim 28, Askar-Kuperman teaches the server device of claim 27, where the proof of possession token is end to end encrypted (Kuperman: par 0022; Askar: col. 12 lines 60-65).	Askar-Kuperman does not teach: 	using a JavaScript Object Signing and Encryption (JOSE), Concise Binary Object Representation (CBOR) Object Signing and Encryption (COSE), or Object Security for Constrained RESTful Environments (OSCORE) encryption technique. 	Choyi teaches: 	using a JavaScript Object Signing and Encryption (JOSE), Concise Binary Object Representation (CBOR) Object Signing and Encryption (COSE), or Object Security for Constrained RESTful Environments (OSCORE) encryption technique (Choyi: par 0233).	It would have been obvious to one of ordinary skill in the art to implement the CBOR encryption of Choyi within the Askar-Kuperman system with predictable results. One would be motivated to make the combination because it would have been apparent 

Claim 32 is rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), and further in view of Hayton (US 2015/0350168).
Regarding claim 32, Askar-Kuperman does not teach the server device of claim 31, wherein the proof of possession token is one of an OAuth2, OpenID-Connect, SAML, XACML, Kerberos, or Fluffy token.	Hayton teaches a technique of wherein a proof of possession token is one of an OAuth2, OpenID-Connect, SAML, XACML, Kerberos, or Fluffy token (Hayton: par 0099).	It would have been obvious to one of ordinary skill in the art to implement the token of Askar-Kuperman as an SAML token according to the technique of Hayton with predictable results. One would be motivated to make the combination because it would 

Claims 35, 42, and 48 are rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), and further in view of Moloney et al. (US 2019/0156141), hereafter “Moloney.”
Regarding claim 35, Askar-Kuperman teaches the server device of claim 26, wherein the communication circuitry is to use Representational State Transfer (RESTful) interactions among one or more Internet of Things (IoT) network topologies to perform network communication operations (Askar: col. 12 lines 19-30). 	Askar-Kuperman does not explicitly teach: 	wherein the network communication operations are conducted according to one or more Open Connectivity Foundation (OCF) specifications.

Regarding claim 42, the method of claim 36, wherein the communication circuitry is to use Representational State Transfer (RESTful) interactions among one or more Internet of Things (IoT) network topologies to perform network communication operations, and wherein the network communication operations are conducted 

Regarding claim 48, the system of claim 47, wherein the intermediary device is a cloud device or proxy device registered to interact with the server device using Representational State Transfer (RESTful) interactions among one or more Internet of Things (IoT) network topologies, and wherein the interactions are conducted according to one or more Open Connectivity Foundation (OCF) specifications (Askar: col. 12 lines 19-30; Moloney: par 0070).

Claims 40 and 50 are rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), and further in view of Jones et al. (NPL - RFC 7800 “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”), hereafter “Jones.”
Regarding claim 40, Askar-Kuperman does not teach the method of claim 36, wherein verifying the proof of possession token includes verifying that the proof of possession token was signed by the client device using an authentication key. 	Jones teaches:	wherein verifying the proof of possession token includes verifying that the proof of possession token was signed by the client device using an authentication key (Jones: p. 4 [The presenter, for example, (4) uses the private key in a Transport Layer Security (TLS) exchange with the recipient or (4) signs a nonce with the private key. The recipient is able to verify that it is interacting with the genuine presenter by extracting the public key from the confirmation claim of the JWT (after verifying the digital signature of the JWT)]; p. 10 § 3.6). 	It would have been obvious to one of ordinary skill in the art to utilize the token validation process of Jones within the Askar-Kuperman system with predictable results. One would be motivated to make the combination to provide the benefit of enhancing the security of the system by verifying a token signature thereby providing an additional layer of protection against malicious clients. One would further be motivated to make the combination because it would have been apparent to one of ordinary skill that any of a variety of token verification techniques could have been utilized within the system. Accordingly, implementing the technique of Jones would have amounted to simple substitution of one known technique for another with predictable results. 

Regarding claim 50, the system of claim 49, wherein the client device is further to access a web authorization provider to sign the proof of possession token, the proof of possession token signed by the client device using a key received from a credential management service (Jones: p. 4 [The presenter, for example, (4) uses the private key in a Transport Layer Security (TLS) exchange with the recipient or (4) signs a nonce with the private key. The recipient is able to verify that it is interacting with the genuine presenter by extracting the public key from the confirmation claim of the JWT (after verifying the digital signature of the JWT)]; p. 10 § 3.6).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES E SPRINGER whose telephone number is (571)270-5640.  The examiner can normally be reached on 9am - 5:30pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


JAMES E. SPRINGER

Art Unit 2454



/JAMES E SPRINGER/           Primary Examiner, Art Unit 2454