Remarks
Claims 1, 4-7, and 9-27 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 6/21/2021 have been fully considered but they are not persuasive.
Applicant’s 102 arguments regarding Sade are moot, since Applicant amended claim 1 to include subject matter for which a 103 rejection was previously provided and is currently provided.  
Applicant alleges “Sade clearly does not disclose the more specific recitation of ‘replacing [replica authentication information operable to authenticate the source resource to the proxy manager and inoperable to enable the source resource to access the access-restricted target resource] in the request with the temporary authentication information,’ as recited in amended claim 1.”  Applicant has put many more words within the square brackets here in an apparent attempt to imply that Sade somehow does not disclose this subject matter.  However, Applicant provides no argument against the fact that Sade discloses the limitation in which the majority of these words are found: 
Sade discloses a non-transitory computer readable medium containing instructions that, when executed by at least one processor, 
Receiving, at a proxy manager, a request from a source resource to access an access restricted target resource, the request including replica authentication information operable to authenticate the source resource to the proxy manager and inoperable to enable the source resource to access the access restricted target resource (Exemplary Citations: for example, Abstract; Paragraphs 16, 109, 122, 125, 130-134, 144, 157-175, 190, 233, 234, 251, 255, and associated figures; receiving a request at the intermediate element, proxy system, provisioning system, etc., including credentials such as authentication credentials, for example);
Sade clearly discloses replica authentication information in the authentication credentials therein, which are used to authenticate to the intermediate element, proxy system, provisioning system, etc. and are inoperable to enable access to the target.  Therefore, Sade discloses the majority of what Applicant is arguing here.  Sade does not explicitly disclose generating an updated request by replacing the replica authentication information in the request with the temporary authentication information.  Reeve, however, discloses generating an updated request by replacing the replica authentication information in the request with the temporary authentication information in Reeve’s disclosure of finding and replacing credential with another credential, for example.  
Reeve does not cure these deficiencies of Sade.”  Applicant then appears to quote Reeve and alleges “But the claimed replica authentication information is ‘operable to authenticate the source resource to the proxy manager.’  Not only are the claimed features absent from Reeve, Reeve teaches away from the claimed combination.”  The primary reference, Sade, already discloses that the authentication information is operable to authenticate the source resource to the proxy manager.  Applicant has not even attempted to argue this fact.  The secondary reference need not provide a duplicate teaching, since the primary reference already discloses such subject matter.  With respect to Applicant’s allegation that “Not only are the claimed features absent from Reeve”, the Examiner notes that Reeve discloses generating an updated request by replacing the replica authentication information in the request with the temporary authentication information and this fact has not been argued.  Applicant appears to only argue the secondary reference for subject matter already present in the primary reference, which, as discussed above, the secondary reference need not provide the same disclosure as the primary reference.  With respect to Applicant’s allegation that “Reeve teaches away from the claimed combination”, Applicant refrains from providing any actual argument as to why Applicant believes this.  To the contrary, Reeve’s disclosure of replacing credentials within a request with other credentials fits perfectly with Sade’s disclosure of receiving authentication credentials and then sending other credentials.  
Applicant alleges “The Office Action cites Sade as teaching these elements of claim 13, but Sade does not appear to disclose interception of requests.”  To the contrary, Sade discloses that the proxy intercepts messages that request access to the 
Applicant alleges “The Office Action cites Stolfo as disclosing this element of claim 21, but Stolfo instead teaches away from this element.  Stolfo concerns, in part, creating decoys for combatting internal misuse.4  Because the attackers are inside attackers and presumed to be sophisticated, Stolfo discloses credentials having corresponding identities or accounts, so that the attackers can verify these accounts (‘the inside attacker can verify that the particular identity is real or not’)5 or log in to them (‘the decoy information can be a login ... that appears and functions like an actual login’).6  Not only are the claimed features absent from Stolfo¸ Stolfo teaches away from this recitation.”  To the contrary, Applicant has admitted that Stolfo discloses “creating decoys for combatting internal misuse” and that “the decoy information can be a login that appears and functions like an actual login”.  This clearly shows use of decoy credentials, as claimed.  The Examiner thanks Applicant for showing that Stolfo discloses claim 21.  The Examiner also notes that these decoy credentials are used to detect attackers in Stolfo (Applicant is directed to even just the abstract of Stolfo that discloses this and further all of the cited portions of Stolfo).  Since Applicant provides no actual argument here other than a general allegation that “Not only are the claimed Stolfo¸ Stolfo teaches away from this recitation”, no further response is necessary.  
Applicant then takes issue with the obviousness rationale’s set forth for the combination of Sade in view of Reeve.  Applicant appears to copy in portions of the motivation statements, alleges “But the first reason is circular, the second and third reasons are inconsistent with the proposed modification, and no evidence is provided for the fourth reason.  Accordingly, this obviousness rationale does not support the rejection of cancelled claim 8.”  Applicant continues by apparently elaborating on these arguments, which will each be discussed as they are raised by Applicant.  
Applicant alleges “The first reason is circular because it asserts that adding (‘allow[ing]’) a feature (‘direct replacement of credentials’) is a sufficient reason to add (‘incorporate’) the feature (‘credential replacement’).  The purported rationale is merely the feature itself, restated.  If this reasoning was sufficient, then every combination would be obvious, because a rationale for any added feature could be constructed in this manner.  But not every combination is obvious, so such reasoning cannot be sufficient.”  To the contrary, the actual motivation statement includes more than a restatement of the feature itself.  Indeed, the motivation statement reads “It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the credential replacement techniques of Reeve into the user provisioning system of Sade in order to allow for direct replacement of credentials in requests/messages with authorizing credentials”.  The direct replacement of credentials in requests/messages with authorizing credentials is, itself, a benefit found by incorporating the credential 
It is Applicant’s argument that is circular.  Applicant alleges that, if a certain type of motivation proves obviousness, that all combinations would be obvious, but, since all combinations cannot be obvious, the motivation cannot prove obviousness.  This is, indeed, a perfect example of a circular argument, where Applicant attempts to prove that something cannot exist because, if it were to exist, Applicant believes that all combinations would be obvious, which Applicant believes cannot exist.  
Applicant then alleges “The second and third reasons are inconsistent with the proposed modification because the additional features would elaborate (not ‘simplify’) the process of Sade, and restrict (not increase) the ways to provide credentials.  Sade discloses ways to create a session, the proposed combination recites a specific way.  The second and third reasons do not support modifying Sade to select this specific way.”  However, Applicant fails to provide any reasons as to why Applicant believes that the combination would not simplify the process of Sade or restrict the ways to provide credentials.  Indeed, allowing for a request to be modified to replace credentials therein with other credentials is one way in which a system that creates a separate message would be simplified by not requiring the creation of a separate message.  Furthermore, 
With respect to Applicant’s belief that “Sade discloses ways to create a session, the proposed combination recites a specific way.  The second and third reasons do not support modifying Sade to select this specific way”, it is entirely unclear just what Applicant is attempting to argue.  Applicant has not provided any explanation of what a specific way is.  Applicant appears to just be arguing that having additional options would result in having less options, which is simply absurd, as discussed above.  
Applicant goes on to allege “And the Office Action provides no evidence that ‘incorporat[ion of] the credential replacement techniques of Reeve into the user provisioning system of Sade’ does ‘increase security in the system’.  As the Office appears to be relying on Official Notice, Applicant respectfully traverses this assertion of Official Notice and requests that the Office provide documentary evidence in the next Office action if the rejection is to be maintained.”  No official notice was taken.  Thus, no .  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-7, 10, 13, 16-18, 20, 24, 26, and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Sade (U.S. Patent Application Publication 2016/0006712) in view of Reeve (U.S. Patent Application Publication 2019/0141022).
Regarding Claim 1,
Sade discloses a non-transitory computer readable medium containing instructions that, when executed by at least one processor, cause the at least one processor to perform operations for enabling 
Receiving, at a proxy manager, a request from a source resource to access an access restricted target resource, the request including replica authentication information operable to authenticate the source resource to the proxy manager and inoperable to enable the source resource to access the access restricted target resource (Exemplary Citations: for example, Abstract; Paragraphs 16, 109, 122, 125, 130-134, 144, 157-175, 190, 233, 234, 251, 255, and associated figures; receiving a request at the intermediate element, proxy system, provisioning system, etc., including credentials such as authentication credentials, for example);
Generating, in response to the request, temporary authentication information corresponding to the replica authentication information, the temporary authentication information being operable to enable the source resource to access the access restricted target resource (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 110-117, 119, 122, 125-134, 145, 146, 176-191, 210, 221-230, 234-247, 251, 253, 258, 259, and associated figures; generating credentials, such as provisioned credentials, for this/these session/request/user/authentication credentials in order to access a particular target, for example);
Generating a request to the target resource including the temporary authentication information corresponding to the replica authentication information (Exemplary Citations: for example, Abstract, Paragraphs 17, 
Making available to the access restricted target resource the request to the target resource, without sending the temporary authentication information to the source resource (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 110-117, 119, 122, 125-134, 145, 146, 176-191, 210, 221-230, 234-247, 251, 253, 258, 259, and associated figures; accessing the target using the provisioned credentials, without sending provisioned credentials to user/client, for example); and
Revoking the temporary authentication information after it was made available to the access restricted target resource (Exemplary Citations: for example, Abstract, Paragraphs 26, 60, 196-204, 225, 252-254, and associated figures; withdrawing provisioned credentials, for example);
But does not explicitly disclose generating an updated request by replacing the replica authentication information in the request with the temporary authentication information.  
Reeve, however, discloses generating an updated request by replacing the replica authentication information in the request with the temporary authentication information (Exemplary Citations: for example, Abstract, Paragraphs 14, 15, 18, 46, 60, 77, 81, 83, 98, 100-102, and 
Regarding Claim 17,
Claim 17 is a method claim that corresponds to medium claim 1 and is rejected for the same reasons.  
Regarding Claim 4,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that making available to the access restricted target resource the temporary authentication information includes generating, at the proxy manager, a new message including the temporary authentication information and sending the new message to the access restricted target resource (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 110-117, 119, 122, 125-134, 145, 146, 176-191, 210, 221-230, 234-247, 251, 253, 258, 259, and associated figures; message with provisioned or privileged credentials, for example).  
Regarding Claim 5,

Regarding Claim 6,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the revoking occurs upon the termination of a session between the source resource and the access restricted target resource (Exemplary Citations: for example, Abstract, Paragraphs 26, 60, 196-204, 225, 252-254, and associated figures).  
Regarding Claim 7,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the revoking occurs according to a revocation schedule (Exemplary Citations: for example, Abstract, Paragraphs 26, 60, 196-204, 225, 252-254, and associated figures).  
Regarding Claim 10,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the request is an API request from an 
Regarding Claim 13,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the proxy manager is configured to intercept the request before it reaches the access restricted target resource (Exemplary Citations: for example, Abstract; Paragraphs 16, 109, 122, 125, 130-134, 144, 157-175, 190, 233, 234, 251, 255, and associated figures).  
Regarding Claim 16,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the replica authentication information includes metadata identifying the source resource (Exemplary Citations: for example, Abstract; Paragraphs 16, 109, 122, 125, 130-134, 144, 157-175, 190, 233, 234, 251, 255, and associated figures).  
Regarding Claim 18,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the proxy manager applies an authorization policy to the request prior to making the temporary authentication information available to the access restricted target resource (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 110-117, 119, 122, 125-134, 145, 146, 176-191, 208, 210, 221-230, 234-247, 251, 253, 258, 
Regarding Claim 20,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the proxy manager is configured to identify the source resource as compromised (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 110-117, 119, 122, 125-134, 145, 146, 176-191, 208, 210, 221-230, 234-247, 251, 253, 258, 259, and associated figures; terminating session with source upon breach or invalid activities, for example).  
Regarding Claim 24,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the proxy manager is configured to deny access to the access restricted target resource when the request does not comply with the authentication policy (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 110-117, 119, 122, 125-134, 145, 146, 176-191, 208, 210, 221-230, 234-247, 251, 253, 258, 259, and associated figures).  
Regarding Claim 26,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the proxy manager is configured to determine whether the replica authentication information is associated with the source resource (Exemplary Citations: for example, Abstract; 
Regarding Claim 27,
Sade as modified by Reeve discloses the medium of claim 1, in addition, Sade discloses that the proxy manager is configured to dynamically create a cloud credential for inclusion in, or for generating, the temporary authentication information in response to the request (Exemplary Citations: for example, Abstract, Paragraphs 17, 18, 110-117, 119, 122, 125-134, 145, 146, 176-191, 210, 221-230, 234-247, 251, 253, 258, 259, and associated figures).  

Claims 9, 11, 12, 14, 15, 19, 22, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Sade in view of Reeve and Taly (U.S. Patent 9,397,990).
Regarding Claim 9,
Sade as modified by Reeve does not appear to explicitly disclose that the replica authentication information is generated using a corresponding cryptographic source key and the temporary authentication information is generated using a corresponding cryptographic cloud key.  
Taly, however, discloses that the replica authentication information is generated using a corresponding cryptographic source key and the temporary authentication information is generated using a corresponding cryptographic cloud key (Exemplary Citations: for example, Abstract, Column 1, line 38 to Column 2, line 14; Column 4, line 52 to Column 7, 
Regarding Claim 11,
Sade as modified by Reeve does not appear to explicitly disclose that a cryptographic source key for inclusion in, or for use in generating, the replica authentication information is integrated into the application.  
Taly, however, discloses that a cryptographic source key for inclusion in, or for use in generating, the replica authentication information is integrated into the application (Exemplary Citations: for example, Abstract, Column 1, line 38 to Column 2, line 14; Column 4, line 52 to Column 7, line 55; Column 8, line 14 to Column 9, line 24; Column 9, line 64 to Column 10, line 23; Column 10, line 59 to Column 11, line 45; Column 12, lines 53-61; and associated figures).  It would have been 
Regarding Claim 12,
Sade as modified by Reeve does not appear to explicitly disclose that a cryptographic source key for generating the replica authentication information is stored in local memory on the source resource.  
Taly, however, discloses that a cryptographic source key for generating the replica authentication information is stored in local memory on the source resource (Exemplary Citations: for example, Abstract, Column 1, line 38 to Column 2, line 14; Column 4, line 52 to Column 7, line 55; Column 8, line 14 to Column 9, line 24; Column 9, line 64 to Column 10, line 23; Column 10, line 59 to Column 11, line 45; Column 12, lines 53-61; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the decentralized authorization techniques of Taly into the user provisioning system of Sade as modified by Reeve in order to allow for credential 
Regarding Claim 14,
Sade as modified by Reeve does not appear to explicitly disclose that a credential management resource is configured to store pairs of corresponding cryptographic source keys for including in, or for generating, replica authentication information and cryptographic cloud keys for including in, or for generating, temporary authentication information.  
Taly, however, discloses that a credential management resource is configured to provide, to the proxy manager in response to a request from the proxy manager, stored key pairs; each key pair including a cryptographic source key for including in, or for generating, replica authentication information and a corresponding cryptographic cloud key for including in, or for generating, temporary authentication information (Exemplary Citations: for example, Abstract, Column 1, line 38 to Column 2, line 14; Column 4, line 52 to Column 7, line 55; Column 8, line 14 to Column 9, line 24; Column 9, line 64 to Column 10, line 23; Column 10, line 59 to Column 11, line 45; Column 12, lines 53-61; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of 
Regarding Claim 15,
Sade as modified by Reeve does not appear to explicitly disclose that the proxy manager is configured to replace cloud credentials with replacement cloud credentials.  
Taly, however, discloses that the credential management resource is configured to repeatedly update the stored cryptographic cloud keys with replacement cryptographic cloud keys  (Exemplary Citations: for example, Abstract, Column 1, line 38 to Column 2, line 14; Column 4, line 52 to Column 7, line 55; Column 8, line 14 to Column 9, line 24; Column 9, line 64 to Column 10, line 23; Column 10, line 59 to Column 11, line 45; Column 12, lines 53-61; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the decentralized authorization techniques of Taly into the user provisioning system of Sade as modified by Reeve in order to allow for credential delegation, provide for additional caveats, ensure that all caveats are taken care of prior to authorization, to allow for explicitly 
Regarding Claim 19,
Sade as modified by Reeve does not appear to explicitly disclose that the proxy manager is configured to detect anomalous usage of a source cryptographic key.  
Taly, however, discloses that the proxy manager is configured to detect anomalous usage of a source cryptographic key (Exemplary Citations: for example, Abstract, Column 1, line 38 to Column 2, line 14; Column 4, line 52 to Column 7, line 55; Column 8, line 14 to Column 9, line 24; Column 9, line 64 to Column 10, line 23; Column 10, line 59 to Column 11, line 45; Column 12, lines 53-61; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the decentralized authorization techniques of Taly into the user provisioning system of Sade as modified by Reeve in order to allow for credential delegation, provide for additional caveats, ensure that all caveats are taken care of prior to authorization, to allow for explicitly setting third parties that must perform functions prior to authorization being allowed, and/or to increase security in the system.  
Regarding Claim 22,

Taly, however, discloses that the authorization policy imposes a time limit on source cryptographic key validity (Exemplary Citations: for example, Abstract, Column 1, line 38 to Column 2, line 14; Column 4, line 52 to Column 7, line 55; Column 8, line 14 to Column 9, line 24; Column 9, line 64 to Column 10, line 23; Column 10, line 59 to Column 11, line 45; Column 12, lines 53-61; and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the decentralized authorization techniques of Taly into the user provisioning system of Sade as modified by Reeve in order to allow for credential delegation, provide for additional caveats, ensure that all caveats are taken care of prior to authorization, to allow for explicitly setting third parties that must perform functions prior to authorization being allowed, and/or to increase security in the system.  
Regarding Claim 23,
Sade as modified by Reeve does not appear to explicitly disclose that the authorization policy imposes a single usage limit on source cryptographic key validity.  
Taly, however, discloses that the authorization policy imposes a single usage limit on source cryptographic key validity (Exemplary .  

Claims 21 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Sade in view of Reeve and Stolfo (U.S. Patent Application Publication 2010/0077483).  
Regarding Claim 21,
Sade as modified by Reeve discloses the method of claim 17, in addition, Sade discloses that the proxy manager is configured to detect use of replica authentication information including, or generated with, a credential (Exemplary Citations: for example, Abstract; Paragraphs 16, 109, 122, 125, 130-134, 144, 157-175, 190, 233, 234, 251, 255, and associated figures);

Stolfo, however, discloses that the proxy manager is configured to detect use of replica authentication information including, or generated with, a decoy credential, the decoy credential created to identify potential malicious activity and lacking a corresponding credential for generating temporary authentication information (Exemplary Citations: for example, Abstract, Paragraphs 10-18, 40-49, 51, 52, 66-76, 78-91, 93-107, 109-118, 121-159, 161-179, 181-189, and associated figures; decoy credentials being used to detect attackers, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the attacker baiting techniques of Stolfo into the user provisioning system of Sade as modified by Reeve in order to allow the system to detect attackers, to bait attackers into being caught, to increase the chances of finding malicious entities, and/or to increase security in the system.  
Regarding Claim 25,
Sade as modified by Reeve discloses the method of claim 18, in addition, Sade discloses that the proxy manager is configured to flag the source resource for investigation when the request does not comply with 
Stolfo also discloses that the proxy manager is configured to flag the source resource for investigation when the request does not comply with the authentication policy (Exemplary Citations: for example, Abstract, Paragraphs 10-18, 40-49, 51, 52, 66-76, 78-91, 93-107, 109-118, 121-159, 161-179, 181-189, and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the attacker baiting techniques of Stolfo into the user provisioning system of Sade as modified by Reeve in order to allow the system to detect attackers, to bait attackers into being caught, to increase the chances of finding malicious entities, and/or to increase security in the system.  

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215.  The examiner can normally be reached on Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  




/Jeffrey D. Popham/Primary Examiner, Art Unit 2432