DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is a reply to the amendment filed on 09/01/2021, in which, claim(s) 1-8, 10-17, and 19-20 are pending. Claim(s) 1, 10, 11, and 20 are amended. Claim(s) 9 and 18 are cancelled. No claim(s) are newly added.

Response to Arguments
Specification Objection: 
Applicant’s arguments with respect to specification objection have been considered. The specification objection have been withdrawn in view of the amendment to the specification (the abstract).

Claim Objection: 
Applicant’s arguments with respect to objection of claim(s) 1, 10 and 20, have been considered. The objection of claim(s) 1, 10 and 20, have been withdrawn in view of the amendment to claim.

Claim Rejections - 35 U.S.C. § 101:
Applicants’ arguments with respect to claim(s) 10-19 have been fully considered and are persuasive.  The rejection of 35 USC §101 regarding claim(s) 10-19 have been 

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant’s arguments with respect to the rejection of claim(s) 1-8, 10-17, and 19-20 have been considered but are moot in view of the new ground(s) of rejection.

Applicant is encouraged to schedule an interview with the Examiner prior to the next communication to compact prosecution of the case.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-8, 10-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Stuart A. Hoggan (US 2013/0311771 A1, cited by the applicant in the 05/18/2020 IDS) in view of Sahraei et al. (US 2019/0052621 A1, cited by the applicant .
Regarding Claim 1, Hoggan discloses A method of providing a certificate for a computing process ([0006], “FIG. 1 illustrates a certificate provisioning system…when provisioning a device 16 with a certificate”), comprising: 
establishing a first trust relationship between the computing process and the central authority ([0017], “the authenticate subscriber request”, [0019], “a trusted relationship has been established”), the establishing comprising: 
authenticating, by the at least one processor, the computing process, the authenticating including the central authority providing a token to the computing process ([0017], “assess whether the authenticate subscriber request was transmitted through an access point 22 having an address within a range of trusted addresses. The range of trusted addresses may correspond with access points 22 or other communication mediums associate with the MSO 14 that are trusted or otherwise known to be valid for use with the subscriber”, [0019], “the device 16 may transmit a certain security token request 48 to the RA 28. The security token request may include the assertion provided by the MSO. The RA 28 may assess the assertion to determine whether the MSO 14 associated therewith or other identifying characteristics of the assertion. The RA 28 may then rely on this assessment to determine whether a trusted relationship has been established of the type sufficient to warrant issuing a security token to be used in subsequently requesting a certificate”); 
receiving, by the at least one processor, a request for the certificate from the computing process, the request including the token ([0025], “The application send a certificate request to the RA API with the security token using an OAuth”); 
determining, by the at least one processor, that the computing process is eligible for the certificate according to the policy ([0019], “issue different security tokens depending on the identified MSO 14 or other permissions associated with issuing security tokens according to permissions (i.e. policies) specified within the assertion or otherwise associated with the identified MSO 14”, [0021], “Upon receipt of the security token, the device 16 may transmit a certificate request”); and 
validating, by the at least one processor, the token ([0025], “The API can validate the security token”); 
in response to the establishing, obtaining, by the at least one processor, the certificate, the certificate being signed by a third party certificate authority with which the central authority has a second trust relationship separate from the first trust relationship ([0002], “A digital certificate… signed by a trusted entity (e.g., a third-party certificate provider)” as a separate second trust relationship, [0025], “The CA can issue the certificate and sends it to the API. The API can respond to the application request with the certificate”); and 
providing, by the at least one processor, the certificate to the computing process ([0025], “The API can respond to the application request with the certificate”, “The application can install the certificate in the device”).  
Hoggan does not explicitly teach but Sahraei teaches
the token is a signed token ([0025], “signs the access token”); 
the policy ID data ([0029], “security policy associated with the system identifier”); 

The combined teaching of Hoggan and Sahraei does not explicitly teach but Bhargav-Spantzel teaches
establishing, by at least one processor of a central authority that is separate from the computing process, a policy by generating policy identifier (ID) data and associating the policy ID data with at least one certificate; providing, by the at least one processor, the policy ID data to the computing process ([0077], “the device further operates to request a signed digital certificate from a certificate authority that indicates use of the authentication policy (operation 650), such as may be provided with the inclusion of the authentication policy identifier in a client certificate”); 
Hoggan, Sahraei and Bhargav-Spantzel are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to request a certificate, the request including a token where the token is a signed token and the request also includes the policy ID data (as taught by the combined teaching of Hoggan and Sahraei) generated and associated with a certificate (as taught by Bhargav-Spantzel). The motivation/suggestion would have been for enforcing user authentication 

Regarding Claims 2 and 11, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches determining that the computing process complies with an access policy (Hoggan, [0017], “assess whether the authenticate subscriber request was transmitted through an access point 22 having an address within a range of trusted addresses. The range of trusted addresses may correspond with access points 22 or other communication mediums associate with the MSO 14 that are trusted or otherwise known to be valid for use with the subscriber” as determining if complies with an access policy); 
in response to determining that the computing process complies with the access policy, generating the signed token (Hoggan, [0018], “a response message 46 with an assertion in the event the two-factor authentication process or other authentication process is successfully”, [0019], “the device 16 may transmit a certain security token request 48 to the RA 28. The security token request may include the assertion provided by the MSO. The RA 28 may assess the assertion to determine whether the MSO 14 associated therewith or other identifying characteristics of the assertion. The RA 28 may then rely on this assessment to determine whether a trusted relationship has been established of the type sufficient to warrant issuing a security token to be used in subsequently requesting a certificate”, Sahraei, [0025], “signs the access token”); and 
sending the signed token to the computing process (Hoggan, [0020], “In the event there is a sufficient relationship, the RA 28 may issue a security token response token”, Sahraei, [0025], “signs the access token”).

Regarding Claims 3 and 12, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches wherein the determining includes: 
identifying the policy or the certificate from the policy ID data (Sahraei, [0024], “to read the client Distinguished Name (DN) of the certificate…query the retrieved security policy for membership of the client DN”, i.e. a policy associated with the certificate, [0029], “security policy associated with the system identifier”); and 
determining that the signed token grants permission to obtain the certificate according to the policy (Hoggan, [0019], “issue different security tokens depending on the identified MSO 14 or other permissions associated with issuing security tokens according to permissions (i.e. policies) specified within the assertion or otherwise associated with the identified MSO 14”, [0021], “Upon receipt of the security token, the device 16 may transmit a certificate request”, Sahraei, [0025], “signs the access token”).  

Regarding Claims 4 and 13, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches wherein the validating includes validating the signed token using a public key associated with a signing computer that signed the signed token (Sahraei, [0025], “signs the access token”, [0026], “The information may include the API policies and public keys… to validate the access token”).


Regarding Claims 5 and 19, the combined teaching of Hoggan, Sahraei and establishing, by the at least one processor, the second trust relationship with the third party certificate authority prior to the obtaining (Hoggan, [0002], “A digital certificate… signed by a trusted entity (e.g., a third-party certificate provider)” as a separate second trust relationship, [0025], “The CA can issue the certificate”).

Regarding Claims 6 and 15, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches wherein the obtaining includes sending a request for the certificate to the third party certificate authority (Hoggan, [0002], “A digital certificate… signed by a trusted entity (e.g., a third-party certificate provider)”, [0025], “The application can send a certificate request”, “The CA can issue the certificate”).

Regarding Claim 7, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches
wherein: the central authority includes a certificate manager configured to perform the determining, validating, obtaining, and providing (Hoggan, [0014], “The centralized certificate provisioning service 12 is shown to be comprised of … a certification authority (CA) 30”); and 
the at least one processor includes at least two processors, one of the at least two processors performing the authenticating, and another of the at least two processors providing the certificate manager (Hoggan, [0014], “The centralized certificate provisioning service 12 is shown to be comprised of a registration authority (RA) 28 and a certification authority (CA) 30”).  

Regarding Claims 8 and 17, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches registering, by the at least one processor, the computing process, the registering comprising establishing the central authority as an authentication and access authority for the computing process (Hoggan, [0014], “The centralized certificate provisioning service 12 is shown to be comprised of a registration authority (RA) 28 and a certification authority (CA) 30”).

Regarding Claim 10, Hoggan discloses A system for providing a certificate for a computing process ([0006], “FIG. 1 illustrates a certificate provisioning system…when provisioning a device 16 with a certificate”), comprising: 
at least one hardware processor ([0007], “instructions which, when executed by a processor”), the at least one processor being configured to perform processing comprising: 
establishing a first trust relationship between the computing process and the at least one processor ([0017], “the authenticate subscriber request”, [0019], “a trusted relationship has been established”), the establishing comprising:    
authenticating the computing process, the authenticating including providing a token to the computing process ([0017], “assess whether the authenticate subscriber request was transmitted through an access point 22 having an address within a range of trusted addresses. The range of trusted addresses may correspond with access points 22 or other communication mediums associate with the MSO 14 that are trusted or otherwise known to be valid for use with the subscriber”, token request 48 to the RA 28. The security token request may include the assertion provided by the MSO. The RA 28 may assess the assertion to determine whether the MSO 14 associated therewith or other identifying characteristics of the assertion. The RA 28 may then rely on this assessment to determine whether a trusted relationship has been established of the type sufficient to warrant issuing a security token to be used in subsequently requesting a certificate”); 
receiving a request for the certificate from the computing process, the request including the token ([0025], “The application can send a certificate request to the RA API with the security token using an OAuth”); 
determining that the computing process is eligible for the certificate according to the policy ([0019], “issue different security tokens depending on the identified MSO 14 or other permissions associated with issuing security tokens according to permissions (i.e. policies) specified within the assertion or otherwise associated with the identified MSO 14”, [0021], “Upon receipt of the security token, the device 16 may transmit a certificate request”); and 
validating the token ([0025], “The API can validate the security token”); 
in response to the establishing, obtaining the certificate, the certificate being signed by a third party certificate authority with which the at least one processor has a second trust relationship separate from the first trust relationship ([0002], “A digital certificate… signed by a trusted entity (e.g., a third-party certificate provider)” as a separate second trust relationship, [0025], “The CA can issue the certificate and sends it to the API. The API can respond to the application request certificate”); and 
providing the certificate to the computing process ([0025], “The API can respond to the application request with the certificate”, “The application can install the certificate in the device”).  
Hoggan does not explicitly teach but Sahraei teaches
a hardware transceiver configured to communicate with a computing process; and using the transceiver ([0054], “a wireless data transceiver”); 
the token is a signed token ([0025], “signs the access token”); 
policy ID data ([0029], “security policy associated with the system identifier”); 
Hoggan and Sahraei are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to request a certificate, the request including a token (as disclosed by Hoggan) where the token is a signed token and the request also includes the policy ID data using the transceiver (as taught by Sahraei). The motivation/suggestion would have been for automating security controls between computer networks (Sahraei, [0006]).
The combined teaching of Hoggan and Sahraei does not explicitly teach but Bhargav-Spantzel teaches
establishing a policy by generating policy identifier (ID) data and associating the policy ID data with at least one certificate; providing the policy ID data to the computing process ([0077], “the device further operates to request a signed digital certificate from a certificate authority that indicates use of the authentication policy (operation 650), such as may be provided with the inclusion of the policy identifier in a client certificate”); 
Hoggan, Sahraei and Bhargav-Spantzel are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to request a certificate, the request including a token where the token is a signed token and the request also includes the policy ID data (as taught by the combined teaching of Hoggan and Sahraei) generated and associated with a certificate (as taught by Bhargav-Spantzel). The motivation/suggestion would have been for enforcing user authentication (Bhargav-Spantzel, [0014]).

Regarding Claim 14, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches wherein the signing computer includes the at least one processor (Sahraei, [0025], “signs the access token”, [0006], “using one or more security control (SC) computing devices that include at least one processor”).  

Regarding Claim 16, the combined teaching of Hoggan, Sahraei and Bhargav-Spantzel teaches wherein the at least one processor includes at least two processors, one of the at least two processors performing the authenticating, and another of the at least two processors performing the determining, validating, obtaining, and providing (Hoggan, [0014], “The centralized certificate provisioning service 12 is shown to be comprised of a registration authority (RA) 28 and a certification authority (CA) 30”).  

Regarding Claim 20, Hoggan discloses A method of providing a certificate for a client device ([0006], “FIG. 1 illustrates a certificate provisioning system…when provisioning a (client) device 16 with a certificate”), comprising: 
authenticating, by the at least one processor, the client device to thereby establish a first trust relationship ([0017], “the authenticate subscriber request”, [0019], “a trusted relationship has been established”), the authenticating including: 
determining that the client device complies with an access policy ([0017], “assess whether the authenticate subscriber request was transmitted through an access point 22 having an address within a range of trusted addresses. The range of trusted addresses may correspond with access points 22 or other communication mediums associate with the MSO 14 that are trusted or otherwise known to be valid for use with the subscriber” as determining if the client device complies with an access policy), in response to determining that the client device complies with the access policy, generating a token ([0018], “a response message 46 with an assertion in the event the two-factor authentication process or other authentication process is successfully”, [0019], “the device 16 may transmit a certain security token request 48 to the RA 28. The security token request may include the assertion provided by the MSO. The RA 28 may assess the assertion to determine whether the MSO 14 associated therewith or other identifying characteristics of the assertion. The RA 28 may then rely on this assessment to determine whether a trusted relationship has been established of the type sufficient to warrant issuing a security token to be used in subsequently requesting a certificate”), and 
sending the token to the client device ([0020], “In the event there is a sufficient relationship, the RA 28 may issue a security token response 50 having the security token”); 
receiving, by the at least one processor, a request for the certificate from the client device, the request including the token ([0025], “The application can send a certificate request to the RA API with the security token using an OAuth”);    
determining, by the at least one processor, that the client device is eligible for the certificate according to the policy ([0019], “issue different security tokens depending on the identified MSO 14 or other permissions associated with issuing security tokens according to permissions (i.e. policies) specified within the assertion or otherwise associated with the identified MSO 14”, [0021], “Upon receipt of the security token, the device 16 may transmit a certificate request”); 
validating, by the at least one processor, the token ([0025], “The API can validate the security token”); 
in response to the determining and the validating, obtaining, by the at least one processor, the certificate, the certificate being signed by a third party certificate authority with which the at least one processor has a second trust relationship separate from the first trust relationship ([0002], “A digital certificate… signed by a trusted entity (e.g., a third-party certificate provider)” as a separate second trust relationship, [0025], “The CA can issue the certificate and sends it to the API. The API can respond to the application request with the certificate”); and 
providing, by the at least one processor, the certificate to the client device ([0025], “The API can respond to the application request with the certificate”, “The certificate in the device”).
Hoggan does not explicitly teach but Sahraei teaches
the token is a signed token ([0025], “signs the access token”); 
the policy ID data ([0029], “security policy associated with the system identifier”); 
Hoggan and Sahraei are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to request a certificate, the request including a token (as disclosed by Hoggan) where the token is a signed token and the request also includes the policy ID data (as taught by Sahraei). The motivation/suggestion would have been for automating security controls between computer networks (Sahraei, [0006]).
The combined teaching of Hoggan and Sahraei does not explicitly teach but Bhargav-Spantzel teaches
establishing, by at least one processor of a central authority that is separate from the computing process, a policy by generating policy identifier (ID) data and associating the policy ID data with at least one certificate; providing, by the at least one processor, the policy ID data to the computing process ([0077], “the device further operates to request a signed digital certificate from a certificate authority that indicates use of the authentication policy (operation 650), such as may be provided with the inclusion of the authentication policy identifier in a client certificate”); 
Hoggan, Sahraei and Bhargav-Spantzel are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of .

Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, 





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497