Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's response with amendments filed 07/29/2021 have been received and entered.  Applicant has amended claims 1, 2, 8, 9, 15, 16 and 21. Applicant added new claims 26-31 and cancelled claims 3, 4, 6, 7, 10, 11, 13, 14, 17, 18, and 20.  New and amended claims have been examined on the merits.
Applicant’s arguments, see Applicant Argument page 14, with respect to the incorrect number cited for the first instance of NIX in the header of the 35 U.S.C. 103 rejection has been considered and is persuasive.  The Examiner appreciates the Applicant’s considerations.
Applicant’s arguments, see Applicant Arguments pages 14-16, with respect to the rejection(s) of the independent claims claim(s) 1(8, and 15) under 35 U.S.C. 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of VASS et al. (US 20200204527), hereinafter VASS.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/29/2021 has been entered.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8, 15, 21, 23, and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of Nix (US 20190313246), hereinafter Nix in view of VASS et al. (US 20200204527), hereinafter VASS in view of Nix (US 10169587), hereinafter Nix (2) in view of Perlman (US 20020191797), hereinafter Perlman.
	Regarding Claims 1, and 8, Miyabayashi teaches
	A method and a first wireless access device associated with a network service provider, comprising: one or more memories; and one or more processors, communicatively coupled to the one or more memories (Para [0029] FIG. 1 is an explanatory diagram illustrating a configuration example of a communication system according to an embodiment of the present invention; Para [0068] As shown in FIG. 2, the communication devices 100 and 200 are principally configured of antennas 102 and 106, proximity communication unit 104, short-range communication unit 108, control unit 110, RAM (Random Access Memory) 112, ROM (Read Only Memory) 114, flash memory 116, input unit 118, and display unit 120. … The function of the control unit 110 is realized, for example, by a control circuit 712, controller 722, or CPU 902), comprising: 
	establishing, by a first wireless access device associated with a network service provider, a wireless local area network (WLAN) connection with a second wireless access devices (Para [0125] First, the network mode of WLANs will be described with reference to FIG. 13. FIG. 13 is an explanatory diagram illustrating an example of the network mode of WLANs. Para [0126] The network modes in WLANs include an infrastructure mode, and ad-hoc mode. In many cases, the infrastructure mode is frequently employed wherein a single access point (hereafter, AP) is connected with multiple base stations (hereafter, BS). In the case of the infrastructure mode, an AP belongs to a local area network constructed by cable or by radio. Also, an AP is connected to various types of local server);
	providing the second wireless access device with access to a wide area network (WAN) based on successful completion of the mutual authentication procedure (Para [0317] With a WPS network, data is encrypted at the time of authenticating each device. That is to say, information and network certificates are exchanged securely within space by employing the extensible authentication protocol (EAP). The WPA2 is employed as an authentication protocol. In a case where authentication is executed mutually by devices, and a client is permitted over a network, connection is performed).
	Miyabayashi does not explicitly teach a method receiving, at the first wireless access device, a certificate associated with the second wireless access device, wherein the certificate includes a unique identifier associated with the second wireless access device.
	In the same field of endeavor, Nix teaches
	receiving, at the first wireless access device, a certificate associated with the second wireless access device (Para [0054] Note that in exemplary embodiments where AP 122b uses Extensible Authentication Protocol (EAP), … (ii) PSK.owner -…-AP 199b could also contain certificates for allowed WiFi clients … Para [0090] A secret key SK0.device 101s in a nonvolatile memory 101f could comprise the private key for a PKI key pair, where the corresponding public key could be recorded in a certificate cert0.device 101t. … [0091] For use of RSA algorithms, parameters within certificate 101t can specify a modulus and other associated values for using an RSA PKI key pair. … Likewise, a certificate such as cert0.device 101t could comprise two certificates,…),
	wherein the certificate includes a unique identifier associated with the second wireless access device (Para [0039] Device 101 can include manufactured secure processing environment (not shown). The manufactured secure processing environment can also be referred to as a secure enclave or secure element. Device 101 can comprise functionality of a processor such as an ARM.RTM. or Intel.RTM. based processor to secure cryptographic key materials including private keys in public key infrastructure (PM) key pairs, secret shared keys, cryptographic parameters, cryptographic algorithms, a certificate 107a for the device 101 certificate authority, a root certificate 109a, etc. Para [0060] For a set of default credentials 103 in a device database 122x, ID.device 101b can correspond to a unique identifier for device 101, and the use of a ID.device 101b is depicted and described in connection with FIG. 1e below. In exemplary embodiments, ID.device 101b can comprise a MAC addresses used with a physical radio 101i interface. Or, ID.device 101b could comprise an international mobile equipment identifier (IEMI), and other possibilities exist as well for a unique device ID ID).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of Miyabayashi to incorporate the teachings of Nix such that the method of Miyabayashi includes receiving, at the first wireless access device, a certificate associated with the second wireless access device, wherein the certificate includes a unique identifier associated with the second wireless access device.  One would have been motivated to make such combination in order to provide certificate authority and a serial number/identifier for cert0.device (Nix, Para [0108]).
	The combination of Miyabayashi and Nix does not explicitly teach a method providing, by the first wireless access device, after determining whether the certificate is signed by a certificate authority and before performing a mutual authentication procedure with the second wireless access device, and based on determining that the certificate is expired or revoked, limited connectivity to the second wireless access device for one or more destinations that match a destination in a whitelist.
 	In the same field of endeavor VASS teaches
Para [0600] …Upon successful registration a signed device certificate is generated, stored, and communicated back to the device for consequent communications. Para [0601] Device registration is a necessary step in joining the Z-Platform infrastructure, as clients are required to satisfy the platform's 2-way mutual TLS authentication requirements using client-side X.509 authentications. Upon a client establishing a TLS connection, the presented client certificate is checked for validity (verifying if it was signed by Z-Platform's Client SubCA--discussed in greater detail elsewhere herein) and if the certificate has been black-listed or not. Para [0197] The platform's Core Services also provide device management functions, including but not limited to device registration (utilizing a one-way ID transformation), authentication, assignments (both user and application), and usage restrictions. When a device first gets registered, it only has access to a limited set of services to enable the user (or the system) to execute proper assignments (certain devices may or may not have access to applications and/or users)).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi and Nix to incorporate the teachings of VASS such that the method of the combination of Miyabayashi and Nix includes providing, by the first wireless access device, after determining whether the certificate is signed by a certificate authority and before performing a mutual authentication procedure with the second wireless access device, and based on determining that the certificate is expired or revoked, limited connectivity to the second wireless access device for one or more destinations that match a destination in a whitelist.  One would have been motivated to make such combination in order to satisfy 
	The combination of Miyabayashi, Nix, and VASS does not explicitly teach a method performing, by the first wireless access device and based on providing the limited connectivity to the second wireless access device, the mutual authentication procedure with the second wireless access device based on one or more ephemeral keys, wherein performing the mutual authentication procedure with the second wireless access device comprises: deriving a keyset from one or more shared secrets that are calculated based on a private ephemeral key and a public key included in the certificate.
 	In the same field of endeavor Nix (2) teaches
	performing, by the first wireless access device and based on providing the limited connectivity to the second wireless access device, the mutual authentication procedure with the second wireless access device based on one or more ephemeral keys (Col. 17, lines 25-41, FIG. 1c is a graphical illustration of a device provisioning protocol for (i) authentication and configuration of a responder and (ii) authentication of an initiator, in accordance with conventional technology. FIG. 1c depicts a summary of the WiFi Device Provisioning Protocol (DPP) specification, version 1.0 which was published on Apr. 9, 2018, supporting a mutual authentication 142 by both initiator 102* and responder 101x. The summary depicted in FIG. 1c highlights recorded bootstrap PKI keys, derived ephemeral PKI keys, and messages transmitted and received between an initiator 102* and a responder 101x. Many of (i) the PKI keys for initiator 102* and responder 101x, and (ii) the messages transmitted between the nodes are equivalent to those depicted and described in connection with FIG. 1b. This description of FIG. 1c herein focuses upon the differences from FIG. 1b in order for initiator 102* and responder 101x to mutually authenticate), 
	wherein performing the mutual authentication procedure with the second wireless access device comprises: deriving a keyset from one or more shared secrets that are calculated based on a Col. 14, lines 53-57, Key pair generation algorithm 101y can derive ephemeral PKI keys for responder 101x comprising public key Pr 101e and private key pr 101f, which could also be derived using a compatible set of parameters 199a for Br 101a, br 101b, Pi 102a and pi 102b).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, Nix, and VASS to incorporate the teachings of Nix (2) such that the method of the combination of Miyabayashi, Nix, and VASS includes performing, by the first wireless access device and based on providing the limited connectivity to the second wireless access device, the mutual authentication procedure with the second wireless access device based on one or more ephemeral keys, wherein performing the mutual authentication procedure with the second wireless access device comprises: deriving a keyset from one or more shared secrets that are calculated based on a private ephemeral key and a public key included in the certificate.  One would have been motivated to make such combination in order to supports mutual authentication in order to securely authenticate a device and an initiator before transferring network access credentials to the device (Nix (2), Col. 2, lines 45-48).
	The combination of Miyabayashi, Nix, VASS, and Nix (2) does not explicitly teach a method calculating a receipt based on the derived keyset; and determining whether the receipt is verified based on the derived keyset; maintaining the WLAN connection when the receipt is verified.
 	In the same field of endeavor Perlman teaches
	calculating a receipt based on the derived keyset (Para [0035] The operation of the system is illustrated by reference to FIGS. 2 and 4a-4c. It is assumed for purposes of illustration that Node A 160 desires to send an ephemeral message to Node B 162, that is, a message that will become undecipherable after some time. … Node B then decrypts [X,Eph-Public Key]B-Public Key with Node B's private key to obtain X and the ephemeral public key as illustrated in step 208. Node B 162 then generates or obtains a second secret key SK2 for use in communicating with the ephemerizer 164 as depicted in step 210. The second secret key SK2 comprises a temporary key. ); and
	determining whether the receipt is verified based on the derived keyset (Para [0037] Following receipt of the above-identified transmission from Node B 162, the ephemerizer 164 decrypts the second secret key (SK2) using the ephemeral private key assuming that the ephemeral key has not expired as depicted in step 214);
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, Nix, VASS, and Nix (2) to incorporate the teachings of Perlman such that the method of the combination of Miyabayashi, Nix, VASS, and Nix (2) includes calculating a receipt based on the derived keyset; and determining whether the receipt is verified based on the derived keyset; maintaining the WLAN connection when the receipt is verified.  One would have been motivated to make such combination in order for providing ephemeral decryptability and ensures that the message cannot be decrypted after a finite period (Perlman, Para [0010]).
	Regarding Claim 15,
Claim 15 is rejected for similar reasons as in claims 1 and 8.  Miyabayashi teaches a non-transitory computer-readable medium storing instructions (Para [0192] The drive 922 is a device which reads out, for example, information recorded in the removable recording medium 928 …).
	Regarding Claim 21, 
	The combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	wherein determining whether the certificate is signed by the certificate authority comprises:  following a certificate chain and verifying signatures of certificates until a chain of trust is established from the certificate to a certificate associated with a root certificate authority operated by the network Nix, Para [0230] In other words, in a step 507, device 101 could verify the public key for cert.owner 122c using cert.CA3 123a and a signature verification step 221, and then the public key for cert.CA3 123a could be verified by device 101 using a cert.CA.root 109a. For a step 507, if device 101 does not record the full certificate chain linking cert.owner 122c with a recorded cert.CA.root 109a, then device 101 could send a query to configuration server 112 requesting for an alternative certificate chain that would link cert.owner 122c with a recorded cert.CA.root 109a in device 101. For exemplary embodiments where (i) a different wireless network 329 is used than owner WiFi access point 122b and (ii) the credentials 199 received in message 503 are from the owner of wireless network 329, then both (a) message 503 can include a signature for the credentials 199 from the owner of the selected wireless network 329, and (b) a certificate for the owner of the selected wireless network 329, and (c) a chain of certificates linking the certificate for the owner of the selected wireless network 329 to a recorded root certificate cert.CA.root 109a).
 	The combination/rational to combine the references is similar to the claim 1 above.
	Regarding Claims 23 and 25,
Regarding Claims 23 and 25 are rejected for similar reasons as in claim 21.
Claims 2, 5, 9, 12, 16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of Nix (US 20190313246), hereinafter Nix in view of VASS et al. (US 20200204527), hereinafter VASS in view of Nix (US 10169587), hereinafter Nix (2) in view of Perlman (US 20020191797), hereinafter Perlman in view of Getschmann et al. (US 20180205722), hereinafter Getschmann. 
	Regarding Claim 2, the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman teaches all the limitations of claim 1 above,
further comprising: dropping the WLAN connection based on the certificate not being signed by the certificate authority associated with the network service provider or the unique identifier associated with the second wireless access device not appearing in the whitelist stored at the first wireless access device.
	In the same field of endeavor, Getschmann teaches
	The method recited in claim 1, further comprising: dropping the WLAN connection based on the certificate not being signed by the certificate authority associated with the network service provider (Para [0045] The SeGW node utilized for access to the MPC may therefore provide IPsec termination points which can authenticate the Factory Digital Certificate as well as the Operational Digital Certificates to be utilized by remote Access Cells. The SeGW IPsec endpoint should therefore be able to authenticate Factory Digital Certificates issued to Access Nodes. Para [0070] In some embodiments, upon failure, the CertMgr may continue to attempt to update the OPERATIONAL certificate until the current certificate fails to be valid and communication with the operator's network is terminated) or
	the unique identifier associated with the second wireless access device not appearing in the whitelist stored at the first wireless access device (Nix, Para [0062], … Security could be obtained from other means, such as (i) operating a firewall within WiFi access point 108i to restrict connectivity to a "whitelist" of approved devices (possibly identified by MAC address), (ii) operating a firewall within WiFi access point 108i to limit connectivity to approved IP addresses and port numbers, and (iii) WiFi access point 108i or WiFi client 101i could operate at low transmit powers such that the two nodes have to be in close physical proximity, such as less than several meters).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman to incorporate the teachings of Getschmann such that the method of the 
	Regarding Claim 5, the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	The method recited in claim 1, further comprising dropping the WLAN connection when the receipt is not verified (Getschmann, Para [0049] ... The Access Cell may be configured to use a Shared Secret or a Factory Digital Certificate to authenticate with the RA/CA. Via the Factory supplied Digital Certificate, the Access Cell is able to establish a trust relationship. …  In order to obtain operational access to the MPC the Access Cell should now terminate the field provisioning IPsec Tunnel and establish an operational IPsec Tunnel ... Para [0070] In some embodiments, upon failure, the CertMgr may continue to attempt to update the OPERATIONAL certificate until the current certificate fails to be valid and communication with the operator's network is terminated).
	The motivation/rational to combine the references is similar to claim 2 above.
	Regarding Claims 9 and 16,
Claims 9 and 16 are rejected for similar reasons as in claim 2.
	Regarding Claims 12 and 19,
Claims 12 and 19 are rejected for similar reasons as in claim 5.
 Claims 22 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of Nix (US 20190313246), hereinafter Nix in view of VASS et al. (US 20200204527), hereinafter VASS in view of Nix (US 10169587), hereinafter Nix (2) in view of Perlman (US 20020191797), hereinafter Perlman in view of Vishwanath et al. (US 20050149759), hereinafter Vishwanath.
	Regarding Claim 22, the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	The combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman does not explicitly teach a method wherein the certificate authority updates a certificate revocation list (CRL) at the first wireless access device and the second wireless access device on a periodic or dynamic basis, and wherein the CRL is a blacklist that identifies one or more certificates that the certificate authority no longer deems trustworthy.
	In the same field of endeavor, Vishwanath teaches
 	wherein the certificate authority updates a certificate revocation list (CRL) at the first wireless access device and the second wireless access device on a periodic or dynamic basis, and wherein the CRL is a blacklist that identifies one or more certificates that the certificate authority no longer deems trustworthy (Para [0734] Signature verification. For a digital signature to have meaning, the application establishes that the user's certificate was valid at the time of the action. This verification requires verifying the digital signature on the certificate, checking the certificate's validation period, and checking the certificate against the issuing certificate authority's Certificate Revocation List (CRL). Para [0752] Key revocation: If a key is exposed, it will be invalidated so that it can no longer be used. This can be as simple as refusing to accept the key, if the key is only used in pair-wise connections. Asymmetric keys would be reissued through the certificate authority. The certificate authority will revoke the public key certificate and include the certificate in the certificate revocation lists that it issues).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman to incorporate the teachings of Vishwanath such that the method of the 
	Regarding Claim 24,
Claim 24 is rejected for similar reasons as in claim 22.
Claims 26-31 are rejected under 35 U.S.C. 103 as being unpatentable over Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of Nix (US 20190313246), hereinafter Nix in view of VASS et al. (US 20200204527), hereinafter VASS in view of Nix (US 10169587), hereinafter Nix (2) in view of Perlman (US 20020191797), hereinafter Perlman in view of Bao et al. (US 20100250922), hereinafter Bao.
	Regarding Claim 26, the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman teaches all the limitations of claim 15 above,
	The combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman does not explicitly teach a method wherein the certificate authority updates a certificate revocation list (CRL) at the first wireless access device and the second wireless access device on a periodic or dynamic basis, and wherein the CRL is a blacklist that identifies one or more certificates that the certificate authority no longer deems trustworthy.
	In the same field of endeavor, Bao teaches
	The non-transitory computer-readable medium recited in claim 15, wherein the certificate authority updates a certificate revocation list (CRL) at the first wireless access device and the second Para [0061] Certificate revocations also can be managed in various ways. For example, if the certificate of the trust bridge 205 is revoked by CA_A, CA_A will distribute an updated certification revocation list ( CRL) to all members of organization A. Upon receiving the updated CRL, node A_1 will forward it to node C_1, which in turn is responsible for propagating the CRL within organization C. Similarly, if the certificate of the trust bride 205 is revoked by CA_C, an updated CRL will be distributed by CA_C to all members of organization C. Upon receiving the updated CRL, node C_1 will forward it to node A_1, which in turn is responsible for propagating it within organization A. …), and
	wherein the CRL is a blacklist that identifies one or more certificates that the certificate authority no longer deems trustworthy (VASS, Para [0601] … Upon a client establishing a TLS connection, the presented client certificate is checked for validity (verifying if it was signed by Z-Platform's Client SubCA--discussed in greater detail elsewhere herein) and if the certificate has been black-listed or not. The black-list is maintained by automated scripting which updates the list file and refreshes the TLS terminator's associated links).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman to incorporate the teachings of Bao such that the method of the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman includes wherein the certificate authority updates a certificate revocation list (CRL) at the first wireless access device and the second wireless access device on a periodic or dynamic basis.  One would have been motivated to make such combination so that if the certificate of the trust bridge is revoked by either CA_A or CA_C, all inter-organizational trust links previously established through the trust bridge will have to be deconstructed and reestablished through another trust bridge (Bao, Paragraph [0061]).
Regarding Claim 27, the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	The method of claim 1, further comprising: instructing, based on determining that the certificate is expired or revoked, the second wireless access device to renew the certificate (Bao, Para [0061], … If the certificate of the trust bridge 205 is revoked by either CA_A or CA_C, all inter-organizational trust links previously established through the trust bridge 205 will have to be deconstructed and reestablished through another trust bridge. Para [0072], … Validity of the certification may, for example, be subject to time and space constraints. Scope of authority may be governed by a predetermined policy. In view of the limited validity and scope, some embodiments disallow renewal or update of the cross-signed certificates. However, the cross-signed certificates may be extended to newly joined devices as long as the certificate validity periods have not expired).
	The motivation/rational to combine the references is similar to claim 26 above.
	Regarding Claim 28, the combination of Miyabayashi, Nix, VASS, Nix (2), Perlman, and Bao teaches all the limitations of claim 1 and claim 27 above,
	wherein the mutual authentication procedure is performed after the second wireless access device renews the certificate (VASS, Para [0600] …Upon successful registration a signed device certificate is generated, stored, and communicated back to the device for consequent communications. Para [0601] Device registration is a necessary step in joining the Z-Platform infrastructure, as clients are required to satisfy the platform's 2-way mutual TLS authentication requirements using client-side X.509 authentications. Upon a client establishing a TLS connection, the presented client certificate is checked for validity (verifying if it was signed by Z-Platform's Client SubCA--discussed in greater detail elsewhere herein) and if the certificate has been black-listed or not).
	The motivation/rational to combine the references is similar to claim 26 above.
	Regarding Claim 29,

	Regarding Claim 30,
Claim 30 is rejected for similar reason as in claim 28.
	Regarding Claim 31, the combination of Miyabayashi, Nix, VASS, Nix (2), and Perlman teaches all the limitations of claim 15 above,
	wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: instruct, based on determining that the certificate is expired or revoked, the second wireless access device to renew the certificate (Bao, Para [0061], … If the certificate of the trust bridge 205 is revoked by either CA_A or CA_C, all inter-organizational trust links previously established through the trust bridge 205 will have to be deconstructed and reestablished through another trust bridge. Para [0072], … Validity of the certification may, for example, be subject to time and space constraints. Scope of authority may be governed by a predetermined policy. In view of the limited validity and scope, some embodiments disallow renewal or update of the cross-signed certificates. However, the cross-signed certificates may be extended to newly joined devices as long as the certificate validity periods have not expired).
	The motivation/rational to combine the references is similar to claim 26 above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAMID TALAMINAEI whose telephone number is (571)270-3283. The examiner can normally be reached Flexible, M-F 7:30 -5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HAMID TALAMINAEI/Examiner, Art Unit 2436                                                                                                                                                                                                        
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436