DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
No amendment, applicant only provide arguments, Claims 2-4, 6-11, 12-21 are pending.

Response to Arguments
Applicant's arguments filed 11/09/21 with respect to 103 rejection regarding claims 1, 9, 18-19 fully considered but they are not persuasive. On page 6-10 the applicant argued that The UE is not redirected from the gateway 140 to the third party (access provider identification service 130) to obtain a credential. The examiner respectfully disagrees. First of all claims do not require authentication, claim require credentials will be supplied by different party. Credentials could be user id, user name, client ip address, password, pass phrase, PIN etc. Otranen FIG 4 415 teaches redirected for 3rd party user identification. Para [0058] and [0059] further emphasis that User equipment is redirected for identification to a third party ([0058] In step 413, it is determined whether the identification user interface (UI) is to be provided by the third party, i.e., the federated identity service. If so, then in step 415, the process on the user equipment, e.g., authentication client module 122, is redirected to the third party. For example, message 300 is sent to the user equipment with a redirect to the federated identity service in field 310. ;  [0059] Furthermore, step 415 is an example means for causing a different party from the resource provider to provide identification data that indicates an identity for the 

On page 9 the applicant argued that “Secondly, the Examiner appears to interpret the provider identification service 130 (as an example federated identity service as the claimed "gateway" (e.g., see Page of the Office Action). The Applicant respectfully disputes this interpretation, and notes that element 140 is consistently characterized as the network gateway throughout the entirety of Otranen's disclosure (e.g., see at east [0026] of Otranen”.  Claim 1 recites “gateway” but do not perform any proper function of gateway(authentication/filter), other than forwarding credentials. Otranen identification service 130 provide same service.

On same page the applicant argued that “Thirdly, the Examiner appears to interpret the claimed "credential" as the identification token provided by the access provider identification service 130 of Otranen (e.g., see Page 4 of the Office Action). However, the Applicant notes that in the process of FIG. 4, the token is provided to the gateway 140, rather than the UE”.  Examiner see it differently, the whole limitation “receiving, from the controller in response to the first request, an instruction for the remote client device to request the credential from the gateway to the network based on the gateway, rather than the controller, being designated by an administrator of the network as a provider of the credential” is directed to redirecting to a different entity/gateway by a message/instruction, not collecting token/credentials. Otranen FIG 4 415 and associated text teaches, 
 
On page 10 the applicant argued that UE merely receiving a success indication (not actual credentials). Examiner respectfully disagrees. Otranen [0047] discloses token/shared code/public key/digital signature used between UE and Third party to identify the User. 

Priority
This application, which discloses and claims only subject matter disclosed in prior Application No. 13/802,586, filed March 13, 2013, appears to claim only subject matter directed to an invention that is independent and distinct from that claimed in the prior application, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a divisional application. Should applicant desire to claim the benefit of the filing date of the prior application, attention is directed to 35 U.S.C. 120, 37 CFR 1.78, and MPEP § 211 et seq.



Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject 

Claims 2-8, 9-15, 17-19, 21are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Kiwimagi et al (US 20050120204 A1) in view of Otranen(US 20110209202 A1).

With regards to claim 2, Kiwimagi discloses, A method of operating a device that is remote from a network, and a gateway to the network , comprising: 
transmitting, to a controller, a first request for a resource associated with access to the network ([0036] When a remote client 330 desires access to system host 310, the remote client 330 sends a request 340 to the security host 300.[0038] Note: remote client looking for key/token to access to system host ); 
receiving, from the controller in response to the first request, an instruction for the remote client device to request the resource from a gateway to the network based on the gateway being designated as a provider of the resource ([0038]; the security host 300 provides the network address 355 of the system host 310 to the remote client 330. [0035] If security host 300 is responsible for managing access to more than one system host 310, the data packet 320 may also include the identity of the corresponding system host 310. Security host 300 maintains the network address 325 and corresponding identity of the system host 310 (e.g., in the address database 216 in FIG. 2). Note: security host manages access suggest it working as gateway); 
transmitting, to the gateway in response to the instruction, a second request for the resource ([0039]; sends a request 370 for access to the system host 310 using the 
 receiving the Resource from the gateway in response to the second request ([0039]; Optionally, the remote client 330 also provides the security key 360 to the system host 310.[0040] The system host 310 may further authenticate the remote client 330 before granting access…..The security host 300 evaluates … the security key 360 to determine whether the remote client 330 is indeed authorized to access the system host 310.). Kiwimagi does not teaches providing credentials through Gateway, but it teaches proving resources. It would have been obvious to a person of ordinary skill in the art at the time of the invention was made to modify Kiwimagi’s method to provide credentials(token/key) in order to  establish a secure network connections(Kiwimagi [0001])

Kiwimagi does not but, Otranen teaches, Receiving, an instruction for the remote client device rather than the controller, (gateway) being designated by an administrator of the network as a provider of the credential (FIG 4 415 and associated text; [0063]  Thus step 421 includes causing to be sent, to the different party, data based on user responses to the prompts of the user interface. This is one means for causing the different party to provide identification data that indicates an identity for the user and achieves the advantage of using the federated identity service without changing the rest of the legacy authentication service. In some embodiments, this takes place offline e.g. by utilizing digital signatures (which involves a trusted relationship between the ID federation gateway 140 and the federated identity service, e.g., access provider token indicating user credentials. Note:  when UE 101 try to connect service 110, server (controller) redirect to third-party 130 (gateway) for identification(token), if identification successful token received from 130 NOT from Server(controller) )  It would have been obvious to a person of ordinary skill in the art at the time of the invention was made to modify Kiwimagi’s method with teaching of Otranen in order to enable users of one domain to securely access data or systems of another domain seamlessly by single sign on (Otranen [0002])

With regards to claim 3, 10 Kiwimagi further discloses, wherein the receiving receives the instruction in conjunction with a network address of the Gateway ([0038]; the security host 300 provides the network address 355 of the system host 310 to the remote client 330. FIG 4 450 and associated text), and wherein the second request is transmitted to the network address ([0039]; sends a request 370 for access to the system host 310 using the network address 355 provided to by the security host 300 in FIG. 3(a).).

With regards to claim 4, 11 Kiwimagi in view of Otranen further discloses, wherein the credential comprises a private key and a corresponding cryptographic certificate (Kiwimagi FIG 3 360 and associated text; [0036]; However, other security credentials may also be used in addition to or instead of user login and password. Note: This is also well known in the art, pls see Nedeltchev claim 11 ).


With regards to claim 6, 13 Kiwimagi in view of Otranen further discloses, wherein the credential received at the client device is encrypted, further comprising: decrypting the encrypted credential to produce a decrypted credential (Kiwimagi [0028] Security keys 218 may be provided to a remote client 220 that has been authenticated by the security host 210. In one implementation, security keys 218 are provided as an encrypted data packet, although other implementations are also possible.).

With regards to claim 7, 14 Kiwimagi in view of Otranen further discloses, wherein the credential received at the client device is not encrypted (Kiwimagi  [0028]; [0038] Optionally, the security host 300 also provides the remote client 330 with a security key 360).

With regards to claim 9 Kiwimagi discloses, A method of operating a controller, comprising: 
receiving a request from a remote client device for a resource associated with access to a network ([0036] When a remote client 330 desires access to system host 310, the remote client 330 sends a request 340 to the security host 300.[0038] Note: remote client looking for key/token to access to system host); 
determining that a gateway to the network is designated as a provider of the resource ([0038]; the security host 300 provides the network address 355 of the system host 310 to the remote client 330); and 
sending, to the remote client device based on the determination, an instruction for the remote device to request the credential from the Gateway (([0038]; the security host 300 provides the network address 355 of the system host 310 to the remote client 330).  Kiwimagi does not teaches providing credentials through Gateway, but it teaches proving resources.  It would have been obvious to a person of ordinary skill in the art at the time of the invention was made to modify Kiwimagi’s method to provide credentials(token/key) in order to  establish a secure network connections(Kiwimagi [0001])
Kiwimagi does not but, Otranen teaches, the network and the gateway to the network both being remote from the remote client device (FIG 1 and associated text; Note: client 101 is remote to network 105 and gateway /third-party 130 also remote to 105 );  Receiving, an instruction for the remote client device rather than the controller, (Gateway) being designated by an administrator of the network as a provider of the credential (FIG 4 415 and associated text; [0063]  Thus step 421 includes causing to be sent, to the different party, data based on user responses to the prompts of the user interface. This is one means for causing the different party to provide identification data that indicates an identity for the user and achieves the advantage of using the federated identity service without changing the rest of the legacy authentication service. In some embodiments, this takes place offline e.g. by utilizing digital signatures (which involves a trusted relationship between the ID federation gateway 140 and the federated identity service, e.g., access provider identification service 130. [0076] In some embodiments, message 528 includes the identification information results produced by the service 130, such as a failure code or token indicating user credentials. Note:  when UE 101 try to connect service 110, server (controller) redirect to third-party 130 (gateway) for identification(token), if identification successful token received from 130 NOT Server(controller) )  It would have been obvious to a person of ordinary skill in the art at the time of the invention was made to modify Kiwimagi’s method with teaching of Otranen in order to enable users of one domain to securely access data or systems of another domain seamlessly by single sign on (Otranen [0002])

With regards to claim 17, 21 Kiwimagi in view of Otranen further discloses, after the sending, receiving a request from the Gateway to verify whether a user of the remote client device is entitled to the credential ([0045]; In operation 460 a verification request from the system host is received, e.g., at the security host.); and 
sending, in response to the request from the Gateway, an indication as to whether the user of the remote client device is entitled to the credential ([0046] In operation 470, a determination is made whether access by the remote client is authorized. If it is determined that the remote client is not authorized to access the system host, access is denied in operation 475. For example, if the key has expired or been tampered with, the security host denies access to the system host.).

claims 18, 19 are device claims corresponding method claims 1, 9 also rejected accordingly.

With regards to claim 8, 15 Kiwimagi does not discloses, but well known in the art, wherein the Gateway functions as both the provider and a source of the credential .

Claims 16, 20  are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Kiwimagi et al (US 20050120204 A1) in view of Otranen (US 20110209202 A1) and further in view of Roth et al(US 20140230007 A1).

With regards to claim 16, 20, Kiwimagi in view of Otranen further discloses, further comprising: storing an encrypted version of the credential in storage at the controller([0028] Security keys 218 may be provided to a remote client 220 that has been authenticated by the security host 210. In one implementation, security keys 218 are provided as an encrypted data packet, although other implementations are also possible.); and 
Kiwimagi in view of Otranen do not but Roth teaches, after the sending(), receiving a request from the Gateway for the credential([0095] The process 1500 may also include receiving ciphertext and an encrypted key. Receiving ciphertext and encrypted key may be performed in any suitable manner.); and 
sending, in response to the request from the Gateway, the encrypted version of the credential to the Gateway ( [0095] The process 1500 may also include receiving ciphertext and an encrypted key. Receiving ciphertext and encrypted key may be performed in any suitable manner. For example, the ciphertext and encrypted key may be received in a response to the request for the ciphertext from a data storage service. Generally, however, the ciphertext and encrypted key may be received 1504 in other 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498