DETAILED ACTION
1.	This action is responsive to communications regarding the applicant’s amendments and arguments, filed on 10/04/2021. 
2. 	Claims 1-7, 10-19, 22-24 are pending.
Response to Arguments and Amendments
3.	Applicant’s arguments filed on 10/04/2021, with respect to the 35 U.S.C 112 second paragraph rejections of claims 1-7, 10-19, 22-24 have been fully considered and persuasive. Therefore, the rejections of claims 1-7, 10-19, 22-24 have been withdrawn.
4.	Applicant’s arguments, see pages 2-3 on remarks, filed 10/04/2021, with respect to the rejection(s) of claim(s) 1-7, 10-19, 22-24 under 103 rejections have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Leonardo Weiss Chaves (US 20110320805).

However, the examiner notes that a portion of applicant’s amendment, which states “receiving first sensitive information from a client device [… ], with the encryption key having been provided by the client device to the configuration service” (method claim) and “a non-transitory computer-readable storage medium comprising programming instructions that are configured to implement a method […], wherein the programming instructions comprise instructions that cause the first computer entity to: 
receive first sensitive information from a client device […], with the encryption key having provided by the client device to the configuration service;”.

It is noted that the underlined portions above fail to further limit the claims.  That is, in method claim 1, the act of receiving encrypted sensitive information from a client device is not changed in scope in any manner by who provided an encryption key to whom. The pope could have provided the encryption key to the configuration service, and the act of receiving the encrypted information is still the act of receiving the encryption information.  With respect to system claim 13, the underlined clause also fails to further limit the structure claimed.  The instructions to receive encrypted first sensitive information are not impacted or changed by who provided an encryption key to whom.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-5, 10-17, 22-24 are rejected under 35U.S.C 103 as being unpatentable over Leonardo Weiss Chaves (US 20110320805), in view of  David Geoffrey Hook (US 20140351586), and further in view of Satyanarayanan Ramaswamy (US 8953786), hereinafter Ramaswamy.

	Chaves discloses receiving first sensitive information from a client device that has been encrypted and which corresponds to the first computing environment the entity 114 can encrypt the accumulated data using a key k.sub.j 206 producing encrypted accumulated data (data.sub.j).sub.kj. The entity 114 can store the encrypted accumulated data on the central database 112 in order to share the data with the successor entity 116 (Chaves, para 39). Examiner interprets store the encrypted accumulated data on the central database 112 is equivalent with receiving first sensitive information from a client device that has been encrypted. And a client device is the entity 114. The first sensitive information having been encrypted using an encryption key held by a configuration service of a second computing environment the entity 114 can write the key k.sub.j 206 used to encrypt the accumulated data on the RFID tag 124. The successor entity 116 can read the RFID tag 124 and access the shared data on the central database 112 (Chaves, para 39). REID tag 124 is stored on the central database 112 and the key used to encrypt the accumulated data on the RFID tag 124, therefore, encryption key held by the central database 112. With the encryption key having been provided by the client device to the configuration service the entity can encrypt the accumulated data using a key k.sub.j 206 producing encrypted accumulated data (data.sub.j).sub.kj (Chaves, para 39).
Receiving, from a second computing entity of the first computing environment, a request to share the first sensitive information between the first computing entity and the second computing entity a data request over the network for retrieving previous encrypted data from a database, the data request comprising the previous data reference, receiving the previous encrypted data from the database, and decrypting the previous encrypted data using the previous encryption key to provide decrypted data (Chaves, para 8), and Fig.1 entity 1-4 sharing data over network 102. 
However, Chaves fails to teach determining whether the second computing entity is a trusted entity included in a list of trusted computing entities configured to store sensitive information in the first computing environment, the list held by the configuration service; in response to determining that the second computing entity is not a trusted entity included in the list of trusted computing entities; determining whether the second computing entity can establish trust by; validating a subscription of the second computing entity with a directory service, and 2In re Patent Application of: HUANG ET AL. Serial No. 16/056,848 Filed: 08/07/2018validating a digital certificate corresponding to the second computing entity with a certificate authority; and in response to determining that the second computing entity can establish trust or is a trusted entity; a public key of a private public key pair generated by the second computing entity and included in the digital certificate; performing the following operations: generating second sensitive information by encrypting the first sensitive information using a public key of a private public key pair generated by the second computing entity and included in the digital certificate; transmitting the second sensitive information to the second computing entity via the configuration service so as to cause an enablement of at least one operation of the second computing entity; wherein the public key is different than the encryption key.
Hook teaches determining whether the second computing entity is a trusted entity included in a list of trusted computing entities configured to store sensitive information in the first computing environment, the list held by the configuration service a data store may granted based on a cryptographic authorisation such as an attribute certificate, checking that the requesting user is a user in an authorisation list (Hook, para 58). Examiner interprets requesting user is second computing entity.  
 In response to determining that the second computing entity is not a trusted entity included in the list of trusted computing entities the box owner's agent may advise the repository service to deny SSL access to the box for the un-invited user (Hook, para 484) , determining whether the second computing entity can establish trust by if a box owner or delegated administrator or privileged member requests certificates for a client box, then the Registration Authority (RA) may check with the repository service that the requestor is a member of the associated box (Hook, para 485).
validating a subscription of the second computing entity with a directory service, and 2In re Patent Application of: HUANG ET AL. Serial No. 16/056,848 Filed: 08/07/2018validating a digital certificate corresponding to the second computing entity with a certificate authority; and in response to determining that the second computing entity can establish trust or is a trusted entity the CA may perform minimal name check or proof of identity, for example, a verification of the email address to be used in the issued certificate, to validate that the name is somehow related to the person or application requesting the certificate. As part of certificate signing, a CA or RA may require other information such as evidence of identity, a unique label such as an email address, and/or cryptographic information such as a random number, timestamp etc. Initial name verification may involve the CA or RA giving the user an authorisation code (Hook, para 593), and if certificates have expired, the CA may, under pre-determined conditions, accept a CSR signed by the expired registrar private key in order to obtain a new registrar certificate and subsequently other certificates. The agent may then need to distribute renewed certificates to existing contacts (Hook, para 599). Examiner interprets that user certificate expired is a trusted entity and can establish trust after renew certificate. 
A public key of a private public key pair generated by the second computing entity and included in the digital certificate public key infrastructure may make use of one or more trusted organizations to have reliable and secure processes to support trust in certificates containing public keys (Hook , para 25).
It would have been obvious to one ordinary skill in the art at the time of the invention was made that Hook combine with that of Chaves in order to enable the provision of keys between a first user and a second user for enabling data security, and establish the existence of certificate-based credentials for each user.
Ramaswamy teaches performing the following operations: generating second sensitive information by encrypting the first sensitive information using a public key of a private public key pair generated by the second computing entity and included in the digital certificate encryption module 112 may be configured to receive data for encryption and to encrypt the same within the communication devices 108. In an implementation, the encryption module 112 may encrypt the data entered or uploaded by the user (Ramaswammy, column 7, [lines 13-16]), and the server 106 may include the server encryption module 114. When the data file is uploaded from the communication devices 108 to the server 106, the server encryption module 114 may encrypt the data file (Ramaswammy, column 7, [lines 43-50]). Examiner interprets the data file encrypt from the server is second sensitive information, and the data file already encrypted from the device 108 and upload to the server.  Ramaswamy further teaches and transmitting the second sensitive information to the second computing entity via the configuration service so as to cause an enablement of at least one operation of the second computing entity; wherein the public key is different than the encryption key the decryption module 212 may receive the second secure key from the user. The second secure key may be validated against the second secure key saved in the server 106. Upon successful validation, the encrypted data file is downloaded to a user device through which the user may be communicating with the server 106 (Ramaswamy, column 7, [lines 60-67]). Examiner interprets that after the server transmit the encrypted data file back to the user, the user decrypted the encrypted data file, and then the server validated the private key. Furthermore, the user encryption key to encrypt the data file is different than the public key which encrypted the first sensitivity data. Therefore, it would have been obvious to one ordinary skill in the art at the time of the invention was made that Hook combine with Ramaswamy in order to provide security against the hacking of the private key from the network which compromises the security of the data, and ensures that the first secure key does not get lost as well as not easily traceable by hackers in the server as the first secure key and the encrypted data are not located in separate files.


Regarding claim 2:
Chaves, Hook and Ramaswamy disclose in response to determining that the second computing entity can establish trust, by the configuration service associated with the second computing environment, adding the second computing entity to the list of trusted computing entities the second user may add the first user's certificates to their list of known contacts (e.g. Contact Certificates 472). The second user may check (e.g. Check 474) the signature of the MCT, for example using the registrar certificate of the first user. The second user may also check for revocation of the first user (Hook para 576). It would have been obvious to one ordinary skill in the art at the time of the invention was made that Hook combine with that of Chaves in order to enable the provision of keys between a first user and a second user for enabling data security, and establish the existence of certificate-based credentials for each user.


	Regarding claim 3:
	Chaves, Hook and Ramaswamy disclose generating the encryption key; generating the first sensitive information by encrypting information using the encryption key; transmitting the encryption key to the configuration service for storage; and transmitting the first sensitive information to the first computing entity the entity 114 can encrypt the accumulated data using a key k.sub.j 206 producing encrypted accumulated data (data.sub.j).sub.kj. The entity 114 can store the encrypted accumulated data on the central database 112 in order to share the data with the successor entity 116 (Chaves, para 39), and further the entity 114 can write the key k.sub.j 206 used to encrypt the accumulated data on the RFID tag 124. The successor entity 116 can read the RFID tag 124 and access the shared data on the central database 112 (Chaves, para 39).

Regarding claim 4:
Chaves, Hook and Ramaswamy disclose wherein the first computing entity is a first connector of the first computing environment and the second computing entity is a second connector of the first computing environment the first user provides to the second user two communications each via a separate channel (Hook, para 133). It would have been obvious to one ordinary skill in the art at the time of the invention was made that Hook combine with that of Chaves in order to enable the provision of keys between a first user and a second user for enabling data security, and establish the existence of certificate-based credentials for each user.



	Chaves, Hook and Ramaswamy disclose in response to determining that the second computing entity cannot establish trust, denying the request to share first sensitive information with the second computing entity when a user is un-invited from a box, the box owner's agent may advise the repository service to deny SSL access to the box for the un-invited user (Hook, para 484). It would have been obvious to one ordinary skill in the art at the time of the invention was made that Hook combine with that of Chaves in order to enable the provision of keys between a first user and a second user for enabling data security, and establish the existence of certificate-based credentials for each user.

	Regarding claim 10:
Chaves, Hook and Ramaswamy disclose receiving the transmitted second sensitive information; and decrypting the received second sensitive information using a private key of the private public key pair the decryption module 212 may receive the second secure key from the user. The second secure key may be validated against the second secure key saved in the server 106. Upon successful validation, the encrypted data file is downloaded to a user device through which the user may be communicating with the server 106 (Ramaswamy, column 7, [lines 60-67]). Therefore, it would have been obvious to one ordinary skill in the art at the time of the invention was made that Chaves combine with Ramaswamy in order to provide security against the hacking of the private key from the network which compromises the security of the data, and ensures that the first secure key does not get lost as well as not easily traceable by hackers in the server as the first secure key and the encrypted data are not located in separate files.

Regarding claim 11:
Chaves, Hook and Ramaswamy disclose adding, by the configuration service, the second computing entity to the list of trusted computing entities in response to decryption of the second sensitive information by the second computing entity the second user may add the first user's certificates to their list of known contacts (e.g. Contact Certificates 472). The second user may check (e.g. Check 474) the signature of the MCT, for example using the registrar certificate of the first user. The second user may also check for revocation of the first user (Hook, para 576). It would have been obvious to one ordinary skill in the art at the time of the invention was made that Hook combine with that of Chaves in order to enable the provision of keys between a first user and a second user for enabling data security, and establish the existence of certificate-based credentials for each user.


Regarding claim 12:
Chaves, Hook and Ramaswamy disclose receiving, from the second computing entity, the request to share the first sensitive information is in response to at least one of the following: addition of the second computing entity to the first computing environment, a user 4 Active\117109666.v1-12/18/20Application No. 16/056,848Docket No.: ID1592US(161095.00095)Amendment dated: December 18, 2020request to share the first sensitive information, or a request to access a first resource via the second computing entity using the first sensitive information use of end-to-end encryption and other techniques effectively makes intermediate providers “blind to what information is being shared, who is sharing with whom, and any other behavioral or social network patterns between participants (Hook, para 93).

Regarding claim 13:
Claim 13 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 14:
Claim 14 is rejected under the same reason set forth in rejection of claim 2.

Regarding claim 15:
Claim 15 is rejected under the same reason set forth in rejection of claim 3.

Regarding claim 16:
Claim 16 is rejected under the same reason set forth in rejection of claim 4.

Regarding claim 17:


Regarding claim 22
Claim 22 is rejected under the same reason set forth in rejection of claim 10.

Regarding claim 23:
Claim 23 is rejected under the same reason set forth in rejection of claim 11.

Regarding claim 24:
Claim 24 is rejected under the same reason set forth in rejection of claim 12.
6. 	Claims 6-7, 18-19 are rejected under 35U.S.C 103 as being unpatentable over Leonardo Weiss Chaves (US 20110320805), in view of  David Geoffrey Hook (US 20140351586), and Satyanarayanan Ramaswamy (US 8953786), further in view of Guido Noordende (US 20140047513), hereinafter Noordende.

Regarding claim 6:
Chaves, Hook, Ramaswamy and Noordende disclose determining whether the second computing entity can establish trust further comprises, by the second computing entity: joining the directory service, wherein the directory service includes information about one or more trusted entities; generating a private public key pair that includes a private key and a public key; receiving, from the certificate authority, the digital certificate corresponding to the second computing entity including the public key; and 3Active\117109666.v1-12/18/20Application No. 16/056,848Docket No.: ID1592US(161095.00095)Amendment dated: December 18, 2020transmitting, to the configuration service, a request to join a list of trusted entities, wherein the request comprises the digital certificate corresponding to the second computing entity the public/private key pair may be generated through use of the RSA algorithm or any other like asymmetrical key schema, and may be implemented in a public key infrastructure using a certificate authority (CA). In addition to being used for authentication, i.e., as a digital certificate or signature, public and private keys may be used to encrypt sensitive information communicated between the client systems and source systems or to generate a symmetric (session) key known only to the communicating parties 

Regarding claim 7:
Chaves, Hook, Ramaswamy and Noordende disclose determining whether the second computing entity can establish trust further comprises receiving, by the first computing entity, from the configuration service, the digital certificate corresponding to the second computing entity, and the digital certificate includes a public key of a private public key pair generated by the second computing entity the public/private key pair may be generated through use of the RSA algorithm or any other like asymmetrical key schema, and may be implemented in a public key infrastructure using a certificate authority (CA). In addition to being used for authentication, i.e., as a digital certificate or signature, public and private keys may be used to encrypt sensitive information communicated between the client systems and source systems or to generate a symmetric (session) key known only to the communicating parties (Noordende, paragraph 46). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Chaves with that of Noordende in order to decrypt the at least one record or the data structure containing at least one of the key or an identifier of the key adapted to decrypt the at least one record, such that the client system is enabled to retrieve the at least one record from the at least one data storage device and decrypt the at least one record with the key or with the key obtained by the client from a separate service, using the identifier of the key.

Regarding claim 18:
Claim 18 is rejected under the same reason set forth in rejection of claim 6.


Claim 19 is rejected under the same reason set forth in rejection of claim 7.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thanh Le whose telephone number is (571)-484-3777.  The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nickerson Jeffrey L can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/THANH H LE/Examiner, Art Unit 2432