DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 10/13/2021. Claims 1, 3, 8, 10, and 15 are amended. Claims 1-20 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/289,652.

Examiner note
In claims 1, and 8 “computer storage media” has been cited in Paragraph 110 of specification as “Computer storage media include volatile and nonvolatile, removable and non- removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by computing device 800. Computer storage media excludes signals per se.”
For the purpose of compact prosecution, examiner tried to contact the application representative on 10/29/2021, 11/1/2021, and 11/9/20121 over the phone, however was unable to reach him. Applicant is encouraged to schedule an interview with the examiner prior to the next communication to compact prosecution of the case.
Response to Argument
Applicant’s arguments with respect to in independent claims for newly added limitation: “autonomously “have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.


Applicant's arguments filed on 10/13/2021 regarding claims 1, 8, and 15  have  been fully considered but they are not persuasive:

The Applicant respectfully submits on pages 12-14 of remarks filed on 10/13/2021 that the combination of references fails to teach or suggest "wherein the signature descriptor is a claim-based authentication object that supports autonomously signing data via a KDS server that manages encryption keys and decryption keysPage 12 of 15 in the distributed computing- system and communicates the encryption keys and decryption keys based on the sig-nature descriptor," as recited in claim 1.

Examiner respectfully disagrees with remarks filed on pages 12-14 on 10/13/2021 for claims 1, 8, and 15. 

	The combination of Beacham and Fitch discloses: 

wherein the signature descriptor is a claim-based authentication object that supports autonomously signing data  
Beacham discloses: [See FIG. 1, requesting server (116), Key importer module (key importer module 120 configured to request and accept keys on the server)], and [see FIG.4, When at 408 the credential string is present in the credential map, the SKDS server has established the identity of the requesting server and at block 410 the SKDS server determines what keys the requesting server has access to. Once the SKDS server determines at block 410 what keys the requesting server has access to, at block 412 the SKDS server sends those keys to the requesting server].
Fitch discloses: [ ¶37, a user can request that the BSM generate a signature based on the private key, then a request with the public key and signature can be sent to a recipient who can verify (e.g., by normal PKI infrastructure) an identity of the sender( equated to claimed- base authentication, the sender claims he is the sender of request).  The private key can also be used for other functions as well, such as to encrypt data or other such information]

a KDS server that manages encryption keys and decryption keys in the distributed computing system and communicates the encryption keys and decryption keys based on the signature descriptor
Beacham discloses: [Col.2 lines 14-17, this disclosure describes a secure key distribution service (SKDS) that minimizes the time and expense of validating servers on a network. As described above, “key” or “keys” may refer to encryption keys ], and [Col. 4 lines 54-60, at block 310, the requesting server sends a request for keys and the identity information to the SKDS server indicated in the configuration file. When the SKDS server allows sending of keys, at block 312 the keys from the SKDS server are received. At block 314, the requesting server imports the keys into key storage for use by the requesting server's encryption application], and [see claims 1,and 2, authorizing, by the SKDS server device, transmission of encryption key information at least partly in response to determining that the network address of the requesting server device matches the resolved network address].

Examiner Note: Examiner maintains his rejection.
	
Allowable Subject Matter 
Claims 3-4, 10, and 12 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-8, 11, 14-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 9,252,947 issue to Beacham et al (“Beacham”) (filed in IDS (06/15/2020)) in view of US Patent Application No. 2017/0187521 to Fitch et al (“Fitch”) (filed in IDS (06/15/2020)) and further view of US Patent Application No. 2019/0124058 to Kawahara.
Regarding claim 1, Beacham discloses a computer system for providing autonomous signing management for a key distribution service in a distributed computing system, the system comprising[See FIG. 1 and corresponding text for more details, requesting server with key importer module, secure key distribution service server(SKDS) with key storage module and SKD service module], and [Abstract]; and
 one or more processors; and one or more computer storage media storing computer-useable instructions that, when used by the one or more processors, cause the one or more processors to execute[ Col.7 lines 15-22, as described in this application, modules and engines may be implemented using software, hardware, firmware, or a combination of these.  
a Key Distribution Service (KDS) client device configured to [See FIG. 1, requesting server (116), Key importer module (key importer module 120 configured to request and accept keys on the server)]; and
	authenticate a signing entity caller with a security token service (STS) based on a security token and communicate a key request [Col.4 lines 54-56, at block 310, the requesting server sends a request for keys and the identity information to the SKDS server indicated in the configuration file]; and
wherein the key request is associated the security token of the signing entity caller [ Col.4 lines 54-56   At block 310, the requesting server sends a request for keys and the identity information to the SKDS server indicated in the configuration file], and [ see FIG.4 and corresponding text for more detail]; and
a Key Distribution Service (KDS) server configured to [see FIG. 1, secure key distribution service server (SKDS server) (124)]; and
receive the key request from the KDS client device[Col.5 lines 4-5, at block 402, the SKDS server receives a request for keys and the identity information sent by a requesting server ]; and
 generate an encryption key associated with the key request [See FIG. 4; when at 408 the credential string is present in the credential map, the SKDS server has established the identity of the requesting server and at block 410 the SKDS server determines what keys the requesting server has access to. Once the SKDS server determines at block 410 what keys the requesting 
and communicate the encryption key to the KDS client device [See FIG. 4, when at 408 the credential string is present in the credential map, the SKDS server has established the identity of the requesting server and at block 410 the SKDS server determines what keys the requesting server has access to. Once the SKDS server determines at block 410 what keys the requesting server has access to, at block 412 the SKDS server sends those keys to the requesting server]; and
and the KDS client device configured to:  Page 37 of 43Nonprovisional Patent Application405621-US-NP/320042receive the encryption key[See FIG. 1, requesting server (116), Key importer module( key importer module 120 configured to request and accept keys on the server)], and [see FIG.4 , When at 408 the credential string is present in the credential map, the SKDS server has established the identity of the requesting server and at block 410 the SKDS server determines what keys the requesting server has access to. Once the SKDS server determines at block 410 what keys the requesting server has access to, at block 412 the SKDS server sends those keys to the requesting server]; and 
a KDS server that manages encryption keys and decryption keys in the distributed computing system and communicates the encryption keys and decryption keys based on the signature descriptor[Col.2 lines 14-17, this disclosure describes a secure key distribution service (SKDS) that minimizes the time and expense of validating servers on a network. As described above, “key” or “keys” may refer to encryption keys ], and [Col. 4 lines 54-60, at block 310, the requesting server sends a request for keys and the identity information to the SKDS server indicated in the configuration file. When the SKDS server allows sending of keys, at block 312 the keys from the SKDS server are received. At block 314, the requesting server 
Beacham  does not explicitly disclose, however, Fitch discloses access data and a signature descriptor, wherein a signature descriptor supports signing data with an encryption key and verifying a signature with a decryption key, the signature used to sign the data [ ¶37, a user can request that the BSM generate a signature based on the private key, then a request with the public key and signature can be sent to a recipient who can verify (e.g., by normal PKI infrastructure) an identity of the sender.  The private key can also be used for other functions as well, such as to encrypt data or other such information], and [¶45, For example, the active content can construct a request to a defined server, where that request includes information indicating that the request is to be signed using a specific key or credential stored by the BSM.  When the request is intercepted by the BSM, the BSM can pre-process the request to replace that information with an actual signature using the indicated key…]; and 
wherein the signature descriptor is a claim-based authentication object that supports autonomously signing data  
Beacham discloses [See FIG. 1, requesting server (116), Key importer module (key importer module 120 configured to request and accept keys on the server)], and [see FIG.4, When at 408 the credential string is present in the credential map, the SKDS server has established the identity of the requesting server and at block 410 the SKDS server determines what keys the requesting server has access to. Once the SKDS server determines at block 410 
Fitch discloses: [ ¶37, a user can request that the BSM generate a signature based on the private key, then a request with the public key and signature can be sent to a recipient who can verify (e.g., by normal PKI infrastructure) an identity of the sender( equated to claimed- base authentication, the sender claims he is the sender of request).  The private key can also be used for other functions as well, such as to encrypt data or other such information]; and 
authenticate the signing entity caller based on the security token and the signature descriptor; and sign the data with a signature
Even though Beacham discloses this limitation as: (See, Fig. 4; the SKDS server compares the resolved network address provided by DNS with the network address provided in the identity information of the requesting server. When a match is found at block 406, the SKDS server, at block 408, determines if the credential string in the identity information is present within a credential map. When at 408 the credential string is present in the credential map, the SKDS server has established the identity of the requesting server and at block 410 the SKDS server determines what keys the requesting server has access to. Once the SKDS server determines at block 410 what keys the requesting server has access to, at block 412 the SKDS server sends those keys to the requesting server]; and 
However, Beacham does not explicitly disclose and Fitch discloses [Abstract, Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process.  A client device use a security credential such as a key to sign a request to be sent to a recipient.  When the request is received, the recipient determines whether the request was signed using the correct key for the sender.  In signature of the request], and [¶12].
Beacham and Fitch are analogous art because they are from the same field of endeavor which is access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Beacham with the teaching of  Fitch to include the token in the request because it would have allowed a user will obtain security credentials that enable that user to communicate with another party over a network in a way that enables the recipient to authenticate an identity of the sender, and prevents unintended recipients from accessing information it the communications [Fitch, ¶2].
 Beacham and Fitch do not explicitly disclose, however,  Kawahara discloses autonomously  [ Abstract, The terminal device includes: a list/request sending unit that, when the terminal device operates as an owner device, generates a key distribution request, signs the key distribution request, and transmits the key distribution request to a key distribution management device], and [¶75, the terminal device 12 autonomously connects to the key distribution management device 11 (for example, it makes a connection to the key distribution management device 11 by itself triggered by receiving a telephone call).].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Beacham and Fitch with the teaching of Kawahara in order to provide a key distribution request to the key distribution management device 11 , which is made by the terminal device 12 itself. At the time of a request, a signature is attached using secret information possessed by the terminal device 12. The key distribution management device 11 confirms whether the requesting terminal device 12 is a correct user or 12 with data from the authentication information database 13[Kawahara, ¶75].

Regarding claims 8 and 15, these claims interpreted and rejected for the same rational set forth in claim 1.
Regarding claims 11 and 18, these claims interpreted and rejected for the same rational set forth in claim 6.
Regarding claim 12, the claim interpreted and rejected for the same rational set forth in claim 4.
Regarding claims 14 and 20, these claims are interpreted and rejected for the same rational set forth in claim 7.
Regarding claim 16, Beacham disclose wherein the key request is an encryption key for signing the data or the key request is for a decryption key for verifying the signature
Regarding claim 17, these claims are interpreted and rejected for the same rational set forth in claim 5.
Regarding claim 5, Beacham and Kawahara do not explicitly disclose however, Fitch discloses wherein generating the encryption key is based on verifying that claims of the signature descriptor are embedded in the security token [Abstract, Authenticated requests can be sent without requiring the requests to include or potentially expose secret information used for the authentication process.  A client device use a security credential such as a key to sign a request to be sent to a recipient.  When the request is received, the recipient determines whether the request was signed using the correct key for the sender.  In some embodiments a client token is included with the request that statelessly encodes the key, enabling a recipient capable of decoding the client token to determine the key and compare that key to the signature of the request], and [¶12].
Beacham and Fitch are analogous art because they are from the same field of endeavor which is access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Beacham and Kawahara with the teaching of  Fitch to include the token in the request because it would have allowed a user will obtain security credentials that enable that user to communicate with another party over a network in a way that enables the recipient to authenticate an identity of the sender, and prevents unintended recipients from accessing information it the communications.( Fitch, ¶2
Regarding claim 6, Beacham, and Kawahara do not explicitly disclose  however,  Fitch  discloses wherein signing the data further comprises generating an encryption-decryption tuple comprising the data, the signature, and the signature descriptor [Abstract, Authenticated requests can be sent without requiring the requests to include or potentially expose signature of the request], and [¶12].
Beacham and Fitch are analogous art because they are from the same field of endeavor which is access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Beacham nd Kawahara with the teaching of  Fitch to include the token in the request because it would have allowed a user will obtain security credentials that enable that user to communicate with another party over a network in a way that enables the recipient to authenticate an identity of the sender, and prevents unintended recipients from accessing information it the communications[ Fitch, ¶2].
Regarding claim 7, Beacham discloses wherein the KDS server performs centralized management and distribution of keys for client devices in the distributed computing system, which obviates key management and distribution using data protectors at the client devices, while providing sign data managers and verify signature managers for autonomous signing operation [ see claim 1 and corresponding text for more detail, Secure Key Distribution service Server(SKDS, SKD Service Module and Key Storage Module)

Claims 2, 9, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 9,252,947 issue to Beacham et al (“Beacham”) ( filed in IDS(06/15/2020)) in view of US Patent Application No. 2017/0187521 to Fitch et al (“Fitch”) ( filed in IDS(06/15/2020)) and .
Regarding claim 2, Beacham, Fitch, and Kawahara do not explicitly disclose, however Borowiec discloses wherein accessing the data and the signature descriptor further comprises accessing a hash of the data [FIG. 6, Col.12 lines 47-56, generating (516) the token representing the authentication of the user credentials and the authorized access privileges includes generating (601) a digital signature of data representing the authorized access privileges.  Generating (601) the digital signature includes hashing (602) the data representing the authorized access privileges and encrypting (604) the hashed data using a public key of the storage array access module.  The encrypted hashed data forms the digital signature.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Beacham , Fitch, and Kawahara with the teaching of Borowiec in order for Providing authorization and authentication for a user by determining  whether the hashed data matches the decrypted digital signature [ Borowiec, Abstract, 63]. 
Regarding claim 9, these claims are interpreted and rejected for the same rational set forth in claim 2.
Regarding claim 13, Beacham, Fitch, and Kawahara do not explicitly disclose, Borowiec  discloses wherein decrypting the signature further comprises comparing a signing entity hash of the data to a decrypting entity hash of the data  [Col.12 lines 62-67, also in the example of FIG. 6, determining (524) whether to grant the user access request includes decrypting (612) the digital signature using the public key of the cloud-based security module; hashing (614) the data representing the authorized access privileges; and determining (616) whether the hashed data matches the decrypted digital signature].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Beacham, Fitch, and Kawahara with the teaching of Borowiec in order for Providing authorization and authentication for a user by determining whether the hashed data matches the decrypted digital signature [Borowiec, Abstract, Col.12 lines 62-67]. 
Regarding claim 19, Beacham, Fitch, and Kawahara do not explicitly disclose, Borowiec  discloses wherein the decryption key is communicated to the KDS client device to cause the KDS client to decrypt a signature and verify a hash of data signed using the signature[Col.12 lines 62-67,  Also in the example of FIG. 6, determining (524) whether to grant the user access request includes decrypting (612) the digital signature using the public key of the cloud-based security module; hashing (614) the data representing the authorized access privileges; and determining (616) whether the hashed data matches the decrypted digital signature].
		It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Beacham, Fitch, and Kawahara with the teaching of Borowiec in order for Providing authorization and authentication for a user by determining whether the hashed data matches the decrypted digital signature [Borowiec, Abstract, Col.12 lines 62-67]. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Kincaid( US10187375) [(2) Organizations involved in secure communications, for example, between servers and other servers or client nodes, maintain integrity and confidentiality of data using encryption and signature services between nodes. Such services may include public and private key systems that include public and private key generation and distribution, signature services, random number generation, authentication, certificate administration, and infrastructure monitoring. To efficiently administer such systems, organizations may implement centralized or distributed services engines that allow controlled access to users, depending on a business need], and [41 Secure user terminals, such as the user terminal 190, may consume signature and authentication services from the PKI 110 to identify itself while performing tasks for a specific enterprise( equated to claimed-based authentication)], and [(74) In an alternative embodiment, the user may select the key generation option 2530 (block 2420). The processor 135 may display a elliptic curve key or RSA key generation window 2800 (block 2425), including a public key 2810 and a private key 2820, as illustrated in FIG. 28. Another alternative embodiment includes a user selecting (block 2410) a signing and hashing option 2540, as illustrated in FIG. 25. The processor 135(from the Cryptographic Management Console) may generate a signature or hash (block 2440) for a given input].
Campagna (US2018/0183774) [Key distribution and distributed computing environment].
Chen (US2007/0297610) [A network-based data protection scheme for a mobile device utilizes encryption techniques and a remote key server that stores encryption keys on behalf of the mobile device.  The mobile device stores encrypted data, preferably having no unencrypted counterpart stored therewith.  On an as-needed basis, the mobile device requests a decryption key (or an encrypted version of a decryption key) from the key server, where the decryption key can be used by the mobile device to decrypt the encrypted information.  The key server transmits the decryption key to the mobile device after authenticating the user of the mobile device.]. 
Cowburn (US2007/0113076) [A key distribution system can comprise a key packaging unit operable to package a key using a signature based upon an intrinsic property of a security token, a channel operable to have the packaged key transmitted there through; and a key unpacking unit operable to unpack the key using a signature based upon the intrinsic property of the security token.  Thereby the key can be transmitted via a non-secure channel to a recipient for use thereby, without it being possible for a third party to obtain a copy of the key by monitoring the channel.].
Pavlicic (US7, 904,725) [see claim 1].



Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
                                                                                                                                                                                                        Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.