DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 06/27/2019. Claims 1-25 have been filed.

Priority
	No priority has been claimed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/27/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Note on Subject Matter and Patent Eligibility 
Computer Readable Medium: Claims 21-25 are subject matter eligible because the claimed “computer readable storage medium” is defined in the specification to exclude transitory computer readable storage medium:
“A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire” – par. 0091.
As such, claims 1-25 are determined as subject matter and patent eligible under 35 U.S.C. 101 analysis, i.e., Abstract Idea, Software per se and CRM analysis.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 11-12, 14, 16, 19 and 21-24 are rejected under 35 U.S.C. 102 (a) (2) as being anticipated by Shukla, US2019/0349357A1.

Per claim 11, Shukla discloses a computer-implemented method, comprising: 
generating, by a system operatively coupled to a processor, a digital identity token that is bound to a computer application process (A cloud-based credential manager generates an authentication token.  The authentication token is provided to an orchestration server over a secure channel.  The orchestration server transmits authentication token to the handler process over a secure channel.  The handler process uses the authentication token to obtain strong cryptographic identity for the application/container.  The strong cryptographic identity for the application/container is assigned a security policy group based on a group identifier.  The group identifier is submitted by the handler process when requesting a credential for the application/container.  The strong cryptographic identity may also be assigned a group based on the group that was associated with the authentication token – Shukla: par. 0039); and 
(Based on that identity and group association, the credential manager also issues the application/container a security policy.  The application/container uses its strong cryptographic identity to obtain access to a computing resource based on the issued security policy… The cloud-based credential manager is publicly accessible and listens on a known port(s) for incoming requests for certificate signing 410.  Upon receiving a new request for certificate signing 420, the credential manager initiates a validation mechanism.  For each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440 – Shukla: par. 0049 and 0053 – Note: application/container 122-126 are each an entity equivalent to the instant application process and their identity and authorization for accessing their authorized resources is validated by credential manager, wherein credential manager validates/compares the entity ID and token extracted from the incoming request with the group name extracted from the certificate and if validated, signs and returns the signed certificate equivalent to the instant security credential).

Per claim 16, Shukla discloses a computer-implemented method, comprising: 
generating, by a system operatively coupled to a processor, a digital identity token that is bound to a computer application process (A cloud-based credential manager generates an authentication token.  The authentication token is provided to an orchestration server over a  – Shukla: par. 0039); and 
comparing, by the system, the digital identity token to a defined policy that governs the computer application process to retrieve a security credential (Based on that identity and group association, the credential manager also issues the application/container a security policy.  The application/container uses its strong cryptographic identity to obtain access to a computing resource based on the issued security policy… The cloud-based credential manager is publicly accessible and listens on a known port(s) for incoming requests for certificate signing 410.  Upon receiving a new request for certificate signing 420, the credential manager initiates a validation mechanism.  For each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440 – Shukla: par. 0049 and 0053 – Note: application/container 122-126 are each an entity equivalent to the instant application process and their identity and authorization for accessing their authorized resources is validated by credential manager, wherein credential manager validates/compares the entity ID and token extracted from the incoming request with the group name extracted from the certificate and if validated, signs and returns the signed certificate equivalent to the instant security credential).

Per claim 21, Shukla discloses a computer program product for distribution of a security credential, the computer program product comprising a computer readable storage medium having program instructions embodied therewith (Shukla: par. 0044 and Fig. 1-2), the program instructions executable by a processor to cause the processor to: 
generate, by a system operatively coupled to the processor, a digital identity token that is bound to a computer application process (A cloud-based credential manager generates an authentication token.  The authentication token is provided to an orchestration server over a secure channel.  The orchestration server transmits authentication token to the handler process over a secure channel.  The handler process uses the authentication token to obtain strong cryptographic identity for the application/container.  The strong cryptographic identity for the application/container is assigned a security policy group based on a group identifier.  The group identifier is submitted by the handler process when requesting a credential for the application/container.  The strong cryptographic identity may also be assigned a group based on the group that was associated with the authentication token – Shukla: par. 0039); and 
compare, by the system, the digital identity token to a security key to retrieve the security credential (Based on that identity and group association, the credential manager also issues the application/container a security policy.  The application/container uses its strong cryptographic identity to obtain access to a computing resource based on the issued security policy… The cloud-based credential manager is publicly accessible and listens on a known port(s) for incoming requests for certificate signing 410.  Upon receiving a new request for certificate signing 420, the credential manager initiates a validation mechanism.  For each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440 – Shukla: par. 0049 and 0053 – Note: application/container 122-126 are each an entity equivalent to the instant application process and their identity and authorization for accessing their authorized resources is validated by credential manager, wherein credential manager validates/compares the entity ID and token extracted from the incoming request with the group name extracted from the certificate and if validated, signs and returns the signed certificate equivalent to the instant security credential).

Per claims 12 and 22, Shukla discloses features of claims 11 and 21 respectively, further comprising: comparing, by the system, the digital identity token to a defined policy that governs the computer application process, wherein retrieval of the security credential is based further on the comparing the digital identity token to the defined policy (Based on that identity and group association, the credential manager also issues the application/container a security policy.  The application/container uses its strong cryptographic identity to obtain access to a computing resource based on the issued security policy… The cloud-based credential manager is publicly accessible and listens on a known port(s) for incoming requests for certificate signing 410.  Upon receiving a new request for certificate signing 420, the credential manager initiates a validation mechanism.  For each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440 – Shukla: par. 0049 and 0053 – Note: application/container 122-126 are each an entity equivalent to the instant application process and their identity and authorization for accessing their authorized resources is validated by credential manager, wherein credential manager validates/compares the entity ID and token extracted from the incoming request with the group name extracted from the certificate and if validated, signs and returns the signed certificate equivalent to the instant security credential).

Per claim 14, Shukla discloses features of claim 11, further comprising: an application component (i.e., handler process) that uses the security credential to execute the computer application process by retrieving data from a database (Upon detecting the start of an application/container, the handler determines the stored group identity of the application/container and other attributes 520.  The security group identity may be stored in a file or as an environment variable.  The handler may, additionally, read a certificate signing request generation configuration file 530.  Configuration information includes, but is not limited to, entity ID, organizational unit, name of application/process, organization name, and group name…the handler process can enforce the security policies by maintaining association between groups and IP addresses upon successful authentication. Then for any network connection, groups corresponding to the source and destination IP addresses are obtained and the security policy specified for communication between those two groups is enforced – Shukla: par. 0055 and 0063 – Note: retrieving configuration and other information for validation is inherently from some sort of a database).

Per claim 19 and 23, Shukla discloses features of claims 16 and 21 respectively, further comprising: an application component that uses the security credential to execute the computer application process by retrieving data in accordance with the defined policy (An application/container from one group wishing to access resources of another application/container from another group is required to authenticate itself based on strong cryptographic credentials…a strong cryptographic identity or digital certificate is assigned to an application/container and uses authentication of the identity, in conjunction with a group-based security policy, to provision computing resources and prevent unauthorized access.  A mechanism for enforcing group-based security policy for access to computing resources is provided.  A description and embodiment are also provided for a cloud-based identity management system that prevents unauthorized access to the resource of the application/container.  In this way, identity is linked to group-based policy – Shukla: par. 0042 and 0047).

Per claim 24, Shukla discloses the computer program product of claim 21, wherein the digital identity token is generated in the cloud computing environment (A cloud-based credential manager generates an authentication token – Shukla: par. 0039).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1.	Claims 13, 18 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Shukla, US2019/0349357A1 in view of Wentz, US2020/0201679A1 (Provisional 62/718376).

Per claims 13 and 18, Shukla discloses features of claims 11 and 16 respectively. Shukla is not relied on to explicitly disclose but Wentz discloses wherein the digital identity token is signed by a chain of trust that originates from hardware (Secure computing module 116 and/or device incorporating secure computing module 116 may incorporate a trusted non-volatile storage device that provides some means of verification of secure storage capability and other properties. Memory protocols as described above may be used to implement methods of attested storage and the chain of trust beginning at PUF 124 level up through processor, memory and code – Wentz (provisional): par. 0038).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Shukla in view of Wentz to include wherein the digital identity token is signed by a chain of trust that originates from hardware.
One of ordinary skill in the art would have been motivated because it would allow “to provide a cryptographically strong seed for public/private key encryption of other methods using private keys” – Wentz (provisional): par. 0016.

Per claim 25, Shukla discloses the computer program product of claim 21, wherein the digital identity token expires after a defined amount of time (The spent token is invalidated so it cannot be used again, Tokens are also invalidated if they have not been used for a specified amount of time – Shukla: par. 0053), and Shukla is not relied on to explicitly disclose but Wentz discloses wherein the digital identity token is signed by a chain of trust that originates from hardware (Secure computing module 116 and/or device incorporating secure computing module 116 may incorporate a trusted non-volatile storage device that provides some means of verification of secure storage capability and other properties. Memory protocols as described above may be used to implement methods of attested storage and the chain of trust beginning at PUF 124 level up through processor, memory and code – Wentz (provisional): par. 0038).
The same motivation to modify Shukla in view of Wentz applied to claim 13 above applies here.

2.	Claims 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Shukla, US2019/0349357A1 in view of Jeuk, US2018/0026893A1.

Per claims 15 and 20, Shukla discloses features of claims 11 and 16 respectively, wherein the digital identity token expires after a defined amount of time (The spent token is invalidated so it cannot be used again, Tokens are also invalidated if they have not been used for a specified amount of time – Shukla: par. 0053), and although Shukla is not relied on to disclose, Jeuk discloses wherein the digital identity token comprises a measurement describing a workload of the computer application process (The UCCaaS 202 stores the various IDs in a database 210 can then can extract the IDs from packet in data flows, access a database 210 that stores the IDs and associated policies (on a per-service, per-tenant or even per-workload, per-subcomponent of workload basis).  The UCCaaS 202 can then use the policies to define flow rules that are then delivered via an API to an OpenFlow Application 214 and Hardware/Software switches for managing data flow 216. [0034] FIG. 2 illustrates a logical component 212 in the UCCaaS 202 that inspects the packets received from a OpenFlow enabled vSwitch 216 through an OpenFlow Application 214, detects the service-ID, tenant-ID, workload-ID, sub-workload-ID and/or other IDs and requests details such as flow-definitions and policy miles 210 that can be enforced on the switch 216 – Jeuk: par. 0033-0034 – Note: policies are used to enforce Universal Cloud Classification in a UCC as-a-service).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Shukla in view of Jeuk to include wherein the digital identity token comprises a measurement describing a workload of the computer application process.
One of ordinary skill in the art would have been motivated because it would allow “to enable and disable the UCC on-demand as well as enable it on a per-tenant, per-service or even on a per-workload or sub-workload basis” – Jeuk: par. 0017.

3.	Claims 1-2, 4, 6-7, 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Shukla, US2019/0349357A1 in view of Engan, US2019/0312730A1.

Per claim 1, Shukla discloses a system, comprising: 
a memory that stores computer executable components (A handler process 248 executes in the memory of the computing device and performs all tasks related to identity management and group security-policy enforcement – Shukla: par. 0046); 
a processor, operably coupled to the memory, and that executes the computer executable components stored in the memory (The client computers 240 are computing devices such as a personal computer, notebook computer, workstation, server, smart phone, or the like.  The application 246 can be a webserver, database server, or any other application.  A handler process 248 executes in the memory of the computing device and performs all tasks related to identity management and group security-policy enforcement… – Shukla: par. 0046), wherein the computer executable components comprise: 
Although Shukla discloses generates a digital identity token that is bound to a computer application process, it is not relied on to disclose a trusted platform module component but Engan discloses a trusted platform module component (i.e., see cryptograph modules 324 and cryptograph module 342 as shown in figure 3, wherein the cryptograph module 324 generates the application instance public-private key pair) that generates a digital identity token that is bound to a computer application process (the client application instance 106 may generate an application instance public-private key pair 114, and the server application 102 may generate a server application public-private key pair 116… the authentication token provider 110 may extract the application instance public key 122 from the authentication token request 126. [0024] The application instance public key 122 is then used by the authentication token provider 110 to generate an authentication token 138.  The authentication token 138 may include a header 140, a body 142, and a digital signature 144…the digital signature 144 may be used to verify the identity of the sender (authentication token provider 110) …the authentication token 138 is stored by the client application instance 106 for future use.  [0025] In some embodiments, the client application instance 106 may use the authentication token 138 in combination with a proof-of-possession (POP) token 148 to request access to a service provided by the secure service provider 112 – Engan: par. 0020 and 0023-0025 – Note: In various embodiments, the authentication token 138 may be a data structure having the format of a standard JavaScript Object Notation (JSON) web token).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Shukla in view of Engan to include a trusted platform module component that generates a digital identity token that is bound to a computer application process.
One of ordinary skill in the art would have been motivated because it would allow “to confirm several things: (1) the application instance public key 122 was used to obtain the authentication token 138 from an IDP (the authentication token provider 110) trusted by the secure service provider 112, and (2) the nested token 150 was not altered after being created by the client application instance 106.  Furthermore, because the application instance private key 210 of the client application instance 106 was never transmitted over any network, this private key could not have been stolen and used by an unauthorized entity to gain access to the service provided by the secure service provider 112 ” – Engan: par. 0028.

Shukla further discloses a key authenticity component that compares the digital identity token to a security key to retrieve a security credential (Based on that identity and group association, the credential manager also issues the application/container a security policy.  The application/container uses its strong cryptographic identity to obtain access to a computing resource based on the issued security policy… The cloud-based credential manager is publicly accessible and listens on a known port(s) for incoming requests for certificate signing 410.  Upon receiving a new request for certificate signing 420, the credential manager initiates a validation mechanism.  For each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440 – Shukla: par. 0049 and 0053 – Note: application/container 122-126 are each an entity equivalent to the instant application process and their identity and authorization for accessing their authorized resources is validated by credential manager, wherein credential manager validates/compares the entity ID and token extracted from the incoming request with the group name extracted from the certificate and if validated, signs and returns the signed certificate equivalent to the instant security credential).

Per claim 6, Shukla discloses a system, comprising: 
a memory that stores computer executable components (A handler process 248 executes in the memory of the computing device and performs all tasks related to identity management and group security-policy enforcement – Shukla: par. 0046); 
a processor, operably coupled to the memory, and that executes the computer executable components stored in the memory (The client computers 240 are computing devices such as a personal computer, notebook computer, workstation, server, smart phone, or the like.  The application 246 can be a webserver, database server, or any other application.  A handler process 248 executes in the memory of the computing device and performs all tasks related to identity management and group security-policy enforcement… – Shukla: par. 0046), 
wherein the computer executable components comprise: 
Although Shukla discloses generates a digital identity token that is bound to a computer application process, it is not relied on to disclose a trusted platform module component but in view of Engan discloses a trusted platform module (i.e., see cryptograph modules 324 and cryptograph module 342 as shown in figure 3, wherein the cryptograph module 324 generates the application instance public-private key pair) that generates a digital identity token that is bound to a computer application process (the client application instance 106 may generate an application instance public-private key pair 114, and the server application 102 may generate a server application public-private key pair 116… the authentication token provider 110 may extract the application instance public key 122 from the authentication token request 126. [0024] The application instance public key 122 is then used by the authentication token provider 110 to generate an authentication token 138.  The authentication token 138 may include a header 140, a body 142, and a digital signature 144…the digital signature 144 may be used to verify the identity of the sender (authentication token provider 110) …the authentication token 138 is stored by the client application instance 106 for future use.  [0025] In some embodiments, the client application instance 106 may use the authentication token 138 in combination with a proof-of-possession (POP) token 148 to request access to a service provided by the secure service provider 112 – Engan: par. 0020 and 0023-0025 – Note: In various embodiments, the authentication token 138 may be a data structure having the format of a standard JavaScript Object Notation (JSON) web token).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Shukla in view of Engan to include a trusted platform module component that generates a digital identity token that is bound to a computer application process.
One of ordinary skill in the art would have been motivated because it would allow “a secure service provider to validate the request as coming from a valid source and free from tampering” – Engan: par. 0039.
Shukla further discloses a policy authenticity component that compares the digital identity token to a defined policy that governs the computer application process to retrieve a security credential (Based on that identity and group association, the credential manager also issues the application/container a security policy.  The application/container uses its strong cryptographic identity to obtain access to a computing resource based on the issued security policy… The cloud-based credential manager is publicly accessible and listens on a known port(s) for incoming requests for certificate signing 410.  Upon receiving a new request for certificate signing 420, the credential manager initiates a validation mechanism.  For each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440 – Shukla: par. 0049 and 0053 – Note: application/container 122-126 are each an entity equivalent to the instant application process and their identity and authorization for accessing their authorized resources is validated by credential manager, wherein credential manager validates/compares the entity ID and token extracted from the incoming request with the group name extracted from the certificate and if validated, signs and returns the signed certificate equivalent to the instant security credential).

Per claims 2 and 7, Shukla in view of Engan discloses systems of claims 1 and 6 respectively, further comprising: a policy authenticity component that performs a comparison of the digital identity token to a defined policy that governs the computer application process, wherein retrieval of the security credential is based further on the comparison (Based on that identity and group association, the credential manager also issues the application/container a security policy.  The application/container uses its strong cryptographic identity to obtain access to a computing resource based on the issued security policy… The cloud-based credential manager is publicly accessible and listens on a known port(s) for incoming requests for certificate signing 410.  Upon receiving a new request for certificate signing 420, the credential manager initiates a validation mechanism.  For each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440 – Shukla: par. 0049 and 0053 – Note: application/container 122-126 are each an entity equivalent to the instant application process and their identity and authorization for accessing their authorized resources is validated by credential manager, wherein credential manager validates/compares the entity ID and token extracted from the incoming request with the group name extracted from the certificate and if validated, signs and returns the signed certificate equivalent to the instant security credential).

Per claim 4, Shukla in view of Engan discloses features of claim 1, further comprising: an application component (i.e., handler process) that uses the security credential to execute the computer application process by retrieving data from a database (Upon detecting the start of an application/container, the handler determines the stored group identity of the application/container and other attributes 520.  The security group identity may be stored in a file or as an environment variable.  The handler may, additionally, read a certificate signing request generation configuration file 530.  Configuration information includes, but is not limited to, entity ID, organizational unit, name of application/process, organization name, and group name…the handler process can enforce the security policies by maintaining association between groups and IP addresses upon successful authentication. Then for any network connection, groups corresponding to the source and destination IP addresses are obtained and the security policy specified for communication between those two groups is enforced – Shukla: par. 0055 and 0063 – Note: retrieving configuration and other information for validation is inherently from some sort of a database).

Per claim 9, Shukla in view of Engan discloses features of claim 6, further comprising: an application component that uses the security credential to execute the computer application process by retrieving data in accordance with the defined policy (An application/container from one group wishing to access resources of another application/container from another group is required to authenticate itself based on strong cryptographic credentials…a strong cryptographic identity or digital certificate is assigned to an application/container and uses authentication of the identity, in conjunction with a group-based security policy, to provision computing resources and prevent unauthorized access.  A mechanism for enforcing group-based security policy for access to computing resources is provided.  A description and embodiment are also provided for a cloud-based identity management system that prevents unauthorized access to the resource of the application/container.  In this way, identity is linked to group-based policy – Shukla: par. 0042 and 0047).

Per claim 17, Shukla in view of Engan discloses the computer-implemented method of claim 16.
Although Shukla discloses “[f]or each incoming request, the credential manager extracts the entity ID and the token from the request.  The group name is extracted from the certificate to be signed.  The token and its group are validated for the given token and entity ID.  Upon validation 430, the certificate authority signs the certificate and returns the signed certificate to the handler process at the client 440” – Shukla: par. 0053 – Note: an extracted entity ID implies an entity’s public key being extracted from the incoming request), it is not relied on to explicitly disclose comparing, by the system, the digital identity token and a public key, but Engan discloses further comprising: comparing, by the system, the digital identity token and a public key, wherein retrieval of the security credential is based further on the comparing of the digital identity token and the public key (The secure service provider 112 may validate the nested token 150 prior to providing service to the client application instance 106.  The secure service provider 112 may use the IDP public key 120 to validate the authentication token 138 that is signed with the digital signature 144 that is encapsulated in the body 214 of the nested token 150.  Following the validation of the authentication token 138, the secure service provider may extract the application instance public key 122 from the authentication token 138.  The application instance public key 122 is then used by the secure service provider 112 to validate that the digital signature 216 of the nested token 150 – Engan: par. 0028).
The same motivation to modify Shukla in view of Engan applied to claim 1 above applies here.

4.	Claims 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Shukla, US2019/0349357A1 in view of Engan, US2019/0312730A1 as applied to claims 1 and 6 respectively, further in view of Wentz, US2020/0201679A1 (Provisional 62/718376).

Per claims 3 and 8, Shukla in view of Engan discloses features of claims 1 and 6 respectively. Although Engan discloses “FIGS. 5-7 present illustrative processes 500-700 for using an authentication token request with a referred application instance public key to enable a client application instance to obtain secure services from a secure service provider.  Each of the processes 500-700 is illustrated as a collection of blocks in a logical flow chart, which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof” Engan: par. 0051, it is not relied on to explicitly disclose but Wentz discloses wherein the digital identity token is signed by a chain of trust that originates from hardware (Secure computing module 116 and/or device incorporating secure computing module 116 may incorporate a trusted non-volatile storage device that provides some means of verification of secure storage capability and other properties. Memory protocols as described above may be used to implement methods of attested storage and the chain of trust beginning at PUF 124 level up through processor, memory and code – Wentz (provisional): par. 0038).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Shukla-Engan further in view of Wentz to include wherein the digital identity token is signed by a chain of trust that originates from hardware.
One of ordinary skill in the art would have been motivated because it would allow “to provide a cryptographically strong seed for public/private key encryption of other methods using private keys” – Wentz (provisional): par. 0016.

5.	Claims 5 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Shukla, US2019/0349357A1 in view of Engan, US2019/0312730A1 as applied to claims 1 and 6 respectively, further in view of Jeuk, US2018/0026893A1.

Per claims 5 and 10, Shukla in view of Engan discloses features of claims 1 and 6 respectively, wherein the digital identity token expires after a defined amount of time (The spent token is invalidated so it cannot be used again, Tokens are also invalidated if they have not been used for a specified amount of time – Shukla: par. 0053), and although Shukla in view of Engan is not relied on to disclose, Jeuk discloses wherein the digital identity token comprises a measurement describing a workload of the computer application process (The UCCaaS 202 stores the various IDs in a database 210 can then can extract the IDs from packet in data flows, access a database 210 that stores the IDs and associated policies (on a per-service, per-tenant or even per-workload, per-subcomponent of workload basis).  The UCCaaS 202 can then use the policies to define flow rules that are then delivered via an API to an OpenFlow Application 214 and Hardware/Software switches for managing data flow 216. [0034] FIG. 2 illustrates a logical component 212 in the UCCaaS 202 that inspects the packets received from a OpenFlow enabled vSwitch 216 through an OpenFlow Application 214, detects the service-ID, tenant-ID, workload-ID, sub-workload-ID and/or other IDs and requests details such as flow-definitions and policy miles 210 that can be enforced on the switch 216 – Jeuk: par. 0033-0034 – Note: policies are used to enforce Universal Cloud Classification in a UCC as-a-service).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Shukla-Engan further in view of Jeuk to include wherein the digital identity token comprises a measurement describing a workload of the computer application process.
One of ordinary skill in the art would have been motivated because it would allow “to enable and disable the UCC on-demand as well as enable it on a per-tenant, per-service or even on a per-workload or sub-workload basis” – Jeuk: par. 0017.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Radhakrishnan (US2013/0047199A1) discloses resource provider 140 may provide an instance of an application from a cloud, e.g., computing power and/or results of a computation.  Resource 145 may also be, for example, a service, an application, or a virtual machine.  Resource provider 140 may be operable to send resource tokens 115c that identify the types of resources 145 requested by device 114 such as a financial application.  Resource provider 140 may further include a policy enforcement point that restricts or excludes user 112 from accessing a resource 145 until TBAC module 110 grants access to user 112.

Thakkar (US2018/0077142A1) discloses software functionality as being any function, capability, or feature, e.g., stored or arranged data, that is provided via computer code, i.e., software, accessible via use of a user interface (UI), and accompanying user interface controls and features.  Software functionality may include actions, such as retrieving data pertaining to a business object; performing an enterprise-related task, ..., wherein in its collaborative cloud environment, certain embodiments address the need to share data from an authenticated account or session with other enterprise applications and/or users or user sessions, but without exposing authentication information, e.g., account credentials used to authenticate the account such that selective sharing of and use of credentials (for use by a software application and/or user session thereof) is possible without exposing the credentials themselves to the software application or other user.

Baird (US2019/0028485A1) discloses Data analytics engine 124 receiving an access token from authorization server 130 (message 332) and validating the access token with authorization server 130 (message 334.sub.1).  When validation of the access token is received (message 336.sub.1), the access token is associated with the authenticated user (e.g., user 108) at the data analytics engine 124 (message 338).  As an example, user 108 and a corresponding access token might be associated in a set of access control data 302 that can be accessed by web application 122 and/or data analytics engine 124.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/Examiner, Art Unit 2434