Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 8/24/2021.
Response to Arguments
Applicant's arguments filed 8/24/2021 have been fully considered but they are not persuasive.
First, the examiner notes that the applicants have only presented arguments pertaining to independent claim 1 and dependent claim 4.  As the scope of the other claim sets is quite different than that of claim 1, and the arguments have not been made for any of the other claim sets, the examiner has applied the rejections that are presented below for those claims, without need to respond with respect to those claims in this section.
With respect to claim 1, the applicants assert without further explanation that “Dralik and Iga fail to disclose a network device receiving an APP’s certificate from a certification issuing device, where ‘the certificate provides permission authentication when the APP accesses an application programming interface (API) of a controller.’” The examiner disagrees.  The scope of “a controller” is simply something that controls.  The API provider controls access to the APIs, as well as issues the certificates which are used to control the access to the APIs, and as such meets the scope of the claimed “controller”.  Therefore the examiner does not find the argument persuasive. 
With respect to claim 1, the applicants’ further assert without further explanation that “Iga [alone] appears silent as to its certificate comprising not only ‘information about operation In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  In this case, the applicants are arguing against Iga alone with regards to a portion of the claims where the rejection clearly relies upon the combination that would have been obvious to the person having ordinary skill in the art, before the effective filing date of the invention, based upon the teachings of Draluk and Iga.  As such, the argument is moot and unpersuasive.  The argument is further moot in view of the teachings of Brown, which is not further relied upon in rejecting the amended claims.
The applicants further assert, with respect to claim 4, that the combination of Draluk and Iga do not teach a bitmap, the examiner disagrees.  The requirement of whether or not the limitation is rendered obvious is not whether the limitations are taught verbatim.  Rather the test is whether or not the combination would have rendered obvious something that falls within the scope of the language used.  The fact that Draluk does not use the term “bitmap” is inconsequential.  The combination of Draluk, Brown, and Iga, which is relied upon below, meets the claim limitations, and as such the argument is moot as the rejection relies upon the further teachings of Brown.
The examiner notes the applicant’s lack of traversal regarding the examiner’s previous statements of what was well known in the art.  As such, the examiner is now considering those statements to be applicant admitted prior art.  See MPEP Section 2144.03c.

All objections and rejections not set forth below have been withdrawn.
Claims 1-20 have been examined.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/24/21 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Draluk (US Patent Application Publication Number 2013/0160147), and further in view of Brown et al. (WO 01/33340 A2) hereinafter referred to as Brown, and further in view of Iga (US Patent Application Publication Number 2010/0229242).

sending, by a network device, certificate application information to a certificate issuing device, wherein the certificate application information comprises an application (APP) (Draluk Paragraphs 0035-0036); and
receiving, by the network device, a certificate that is of the APP and that is from the certificate issuing device, wherein the certificate is generated according to the APP, and wherein the certificate provides permission authentication when the APP accesses an application programming interface (API) of a controller (API Provider) (Draluk Paragraphs 0035-0036).
Draluk did not explicitly teach that the certificate comprised information about operation permission of the APP on N application programming interfaces (APIs) of a controller, identifiers of L APIs that are of the N APIs and that the APP has permission to operate, and identifiers of R APIs that are of the N APIs and that the APP does not have permission to operate, wherein N is a natural number greater than or equal to 1, wherein L is a natural number greater than or equal to 1, and less than or equal to N, and wherein R is a natural number greater than or equal to 1 less than or equal to N.
Brown taught that permissions regarding which APIs a particular entity can access can be stored in an access control list which comprises a bitmap indicating to which APIs the particular entity can access, where the bitmap is a list of zeros and ones that are each mapped to a particular API, where a zero means that access is not granted and where a one means that access is granted (Brown Page 11 for example, especially the table and the last paragraph).  
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Brown in the API 
Iga taught a system in which API permissions are determined, and where Iga taught that instead of using a table to store permitted functions associated with a certificate, the permissions can be indicated in the certificate itself (Iga Paragraph 0006, for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Iga in the API permission system of Draluk and Brown by including the access control bitmap in each certificate.  This would have been obvious because the person having ordinary skill in the art would have been motivated to provide a specific means for indicating and verifying which APIs are permitted to be accessed.
Regarding claim 11, Draluk disclosed a certificate generating device, comprising: 
a communications interface configured to receive certificate application information and send the certification application information, wherein the certification application information comprises an application (APP) (Draluk Paragraphs 0035-0036); and
a certificate generation module configured to receive the certificate application information from the communications interface and generate a certificate according to the APP in the certificate application information (Draluk Paragraphs 0035-0036).
Draluk did not explicitly teach that the certificate comprises information about operation permission of the APP on N application programming interfaces (APIs) of a or identifiers of R APIs that are of the N APIs and that the APP does not have permission to operate, wherein N is a natural number greater than or equal to 2, wherein L is a natural number greater than or equal to 1, and less than or equal to N, and wherein R is a natural number greater than or equal to 1 less than or equal to N.
Brown taught that permissions regarding which APIs a particular entity can access can be stored in an access control list which comprises a bitmap indicating to which APIs the particular entity can access, where the bitmap is a list of zeros and ones that are each mapped to a particular API, where a zero means that access is not granted and where a one means that access is granted (Brown Page 11 for example, especially the table and the last paragraph).  
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Brown in the API permission system of Draluk by using a bitmap to indicate to which APIs the APK would be granted access and to which APIs the APK would be denied access.  This would have been obvious because the person having ordinary skill in the art would have been motivated to provide an arbitrary (i.e. customizable) and extensible means for describing the controlled permissions of the APK to the various APIs of the API provider.
Iga taught a system in which API permissions are determined, and where Iga taught that instead of using a table to store permitted functions associated with a certificate, the permissions can be indicated in the certificate itself (Iga Paragraph 0006, for example).
Regarding claim 6, Draluk disclosed an authentication method, comprising:
receiving, by an authentication device, an access request message of an application (APP), wherein the access request message comprises a digital certificate (Draluk 
determining, by the authentication device, operation permission of the APP on the one or more APIs based on the digital certificate (Draluk Paragraphs 0021 and 0026 for example).
Draluk did not explicitly teach that the digital certificate comprises information about operation permission of the APP on N application programming interfaces (APIs) of a controller, identifiers of L APIs that are of the N APIs and that the APP has permission to operate, or identifiers of R APIs that are of the N APIs and that the APP does not have permission to operate, wherein N is a natural number greater than or equal to 2, wherein L is a natural number greater than or equal to 1, and less than or equal to N, and wherein R is a natural number greater than or equal to 1 less than or equal to N.
Brown taught that permissions regarding which APIs a particular entity can access can be stored in an access control list which comprises a bitmap indicating to which APIs the particular entity can access, where the bitmap is a list of zeros and ones that are each mapped to a particular API, where a zero means that access is not granted and where a one means that access is granted (Brown Page 11 for example, especially the table and the last paragraph).  
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Brown in the API permission system of Draluk by using a bitmap to indicate to which APIs the APK would be granted access and to which APIs the APK would be denied access.  This would have been obvious because the person having ordinary skill in the art would have been motivated to 
Iga taught a system in which API permissions are determined, and where Iga taught that instead of using a table to store permitted functions associated with a certificate, the permissions can be indicated in the certificate itself (Iga Paragraph 0006, for example).

Regarding claim 16, Draluk disclosed a network device, comprising:
a controller comprising N application programming interfaces (APIs), wherein N is a natural number greater than or equal to 2 (Draluk Paragraphs 0035-0036);
a communications interface configured to receive an access request message of an application (APP) in communication with the controller, wherein the access request message comprises a digital certificate (Draluk Paragraphs 0021 and 0026 for example), wherein the digital certificate is used to verify operation permission of the APP (Draluk Paragraphs 0018 and 0035-0036); and
an authentication module coupled to the communications interface and configured to determine operation permission of the APP on the one or more APIs based on the digital certificate (Draluk Paragraphs 0021, 0026, and 0035-0036 for example).
Draluk did not explicitly teach that the digital certification comprises information about operation permission of the APP on the N APIs of the controller, identifiers of L APIs that are of the N APIs and that the APP has permission to operate, or identifiers of R APIs that are of the N APIs and that the APP does not have permission to operate, wherein L is a natural number greater than or equal to 1, and less than or equal to N, and wherein R is a natural number greater than or equal to 1 less than or equal to N.

It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Brown in the API permission system of Draluk by using a bitmap to indicate to which APIs the APK would be granted access and to which APIs the APK would be denied access.  This would have been obvious because the person having ordinary skill in the art would have been motivated to provide an arbitrary (i.e. customizable) and extensible means for describing the controlled permissions of the APK to the various APIs of the API provider.
Iga taught a system in which API permissions are determined, and where Iga taught that instead of using a table to store permitted functions associated with a certificate, the permissions can be indicated in the certificate itself (Iga Paragraph 0006, for example).


Regarding claim 2, Draluk, Brown, and Iga taught that the information about operation permission comprises identifiers of the N APIs and operation permission of the APP on each of the N APIs (Draluk Paragraphs 0021, 0026, and 0035-0036, Brown Page 11 for example, especially the table and the last paragraph, and Iga Paragraphs 0072-0074 for example).



Regarding claims 4, Draluk and Iga taught that the certificate comprises the information about operation permission of the APP on the N APIs of the controller, and wherein the operation permission is represented  using a bitmap (Draluk Paragraphs 0021, 0026, and 0035-0036, Brown Page 11 for example, especially the table and the last paragraph, and Iga Paragraphs 0072-0074 for example), wherein each of the L APIs that the APP has permission to operate is identified in the bitmap using a first binary bit, and wherein each of the R APIs that the APP does not have permission to operate is identified in the bitmap using a second binary bit (Brown Page 11 for example, especially the table and the last paragraph).

Regarding claim 5, while Draluk, Brown, and Iga did not explicitly teach that that one or more of the information, the identifiers of L APIs, or the identifiers of R APIs are carried in extended information of the certificate, and wherein the extended information includes a type field, a default field, and a value field, it was well known in the art of digital certificates that the extended information portion of a certificate can be used for storing data needing to be stored in the certificate, and that the extended information of a certificate also includes a type field 

Regarding claim 7, Draluk, Brown, and Iga taught that the information about operation permission comprises identifiers of the N APIs and operation permission of the APP on each of the N APIs (Draluk Paragraphs 0021, 0026, and 0035-0036, Brown Page 11 for example, especially the table and the last paragraph, and Iga Paragraphs 0072-0074 for example).

Regarding claim 8, Draluk, Brown, and Iga taught that the information about operation permission comprises identifiers of M API identifier sets, wherein an identifier of each of the M API identifier sets identifies operation permission on K APIs in a respective M API identifier set, wherein M is a natural number greater than or equal to 1, and wherein K is an integer greater than or equal to 0, and less than or equal to N (Draluk Paragraphs 0021, 0026, and 0035-0036, Brown Page 11 for example, especially the table and the last paragraph, and Iga Paragraphs 0072-0074 for example).

Regarding claim 9, Draluk, Brown, and Iga taught that operation permission is represented using a bitmap when the digital certificate comprises the operation permission of the APP on the N APIs of the controller (Draluk Paragraphs 0021, 0026, and 0035-0036, Brown 


Regarding claim 10, while Draluk, Brown, and Iga did not explicitly teach that one or more of the information, the identifiers of L APIs, or the identifiers of R APIs are carried in extended information of the certificate, it was well known in the art that the extended information portion of a certificate can be used for storing data needing to be stored in the certificate, and as such it would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have done so in the system of Draluk, Brown, and Iga.  This would have been obvious because the person having ordinary skill in the art would have been motivated to utilize a well-known means for storing information in a certificate to store the generically taught storing of the security permission information of Draluk, Brown, and Iga.


Regarding claim 12, Draluk, Brown, and Iga taught that the information about operation permission comprises identifiers of the N APIs and operation permission of the APP 

Regarding claim 13, Draluk, Brown, and Iga taught that the information about operation permission comprises identifiers of M API identifier sets, wherein an identifier of each of the M API identifier sets identifies operation permission on K APIs in a respective M API identifier set, wherein M is a natural number greater than or equal to 1, and wherein K is a natural number greater than or equal to 1, and less than or equal to N (Draluk Paragraphs 0021, 0026, and 0035-0036, Brown Page 11 for example, especially the table and the last paragraph, and Iga Paragraphs 0072-0074 for example).

Regarding claim 14, Draluk, Brown, and Iga taught that operation permission is represented using a bitmap when the certificate comprises the operation permission of the APP on the N APIs of the controller ((Draluk Paragraphs 0021, 0026, and 0035-0036, Brown Page 11 for example, especially the table and the last paragraph, and Iga Paragraphs 0072-0074 for example)), wherein each of the L APIs that the APP has permission to operate is identified using a first binary bit in the bitmap, and wherein each of the R APIs that the APP does not have permission to operate is identified using a second binary bit in the bitmap (Brown Page 11 for example, especially the table and the last paragraph).

Regarding claim 15, while Draluk, Brown, and Iga did not explicitly teach that one or more of the information, the identifiers of L APIs, or the identifiers of R APIs are carried in 

Regarding claim 17, Draluk, Brown, and Iga taught that the information about operation permission comprises identifiers of the N APIs and operation permission of the APP on each of the N APIs (Draluk Paragraphs 0021, 0026, and 0035-0036, Brown Page 11 for example, especially the table and the last paragraph, and Iga Paragraphs 0072-0074 for example).

Regarding claim 18, Draluk, Brown, and Iga taught that the information about operation permission comprises identifiers of M API identifier sets, wherein an identifier of each of the M API identifier sets identifies operation permission on K APIs in a respective M API identifier set, wherein M is a natural number greater than or equal to 1, and wherein K is a natural number greater than or equal to 1, and less than or equal to N (Draluk Paragraphs 0021 and 0026, and Iga Fig. 3 and Paragraphs 0072-0074 for example).

Regarding claim 19, Draluk, Brown, and Iga taught that the operation permission is represented using a bitmap when the digital certificate comprises the operation permission of .
Allowable Subject Matter
Claim 20 is objected to as being dependent upon a rejected base claim, but claim 20 would be allowable if rewritten in independent form including all of the limitations of the base claim 16.

Conclusion
Claims 1-19 have been rejected, while claim 20 has been objected to.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790. The examiner can normally be reached Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.