Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the claims filed 9/05/2019.  Claims 1-20 are pending.  Claims 1 (a non-transitory CRM), 8 (a machine), and 15 (a method) are independent.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 2, 6-9, 13-16, and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a mental process of deciding “whether the identity entity is an authoritative identity provider”. This judicial exception is not integrated into a practical application because the additional elements of receiving data (from a device and identity entity) is merely an indication to apply the mental process to a machine, MPEP 2106.04(d)(I).  Moreover the additional elements do not require a particular machine or improve a machine as no action is performed in the claim. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the receipt of information is a well-understood, routine, conventional activity, MPEP 2106.05(d)(II).


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 8, and 15 have three recitations of “an authoritative identity provider”.  The claims are ambiguous for implying that there are multiple authoritative identity providers without clearly delineating which one is related to which limitations. 
Claims 3-5, 10-12, and 17-19 require: “the authoritative entity provider” without sufficient antecedent basis.  Note that there is a singular mention in Applicant’s specification in ¶ 31 which appears to be a typographical error. 
The remaining dependent claims are rejected solely for their dependency on claims 1, 8, and 15. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-8, 11-15, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Edge et al., US 2013/0212663 (filed 2013-02), in view of Hawkes et al., US 2018/0295506 (filed 2017-04).
With respect to claims 1, 8, and 15 Edge discloses a CRM/machine/method comprising:
in response to a receipt of a request (“Authentication of the client by the discovered location server” Edge ¶ 69) from a device for roaming access (“A location server without a pre-provisioned permanent affiliation with a set of target devices may be referred to as a discovered location server.” Edge ¶ 5. Roaming meaning a visited network, without a pre-provisioned permanent affiliation.), connect to an identity entity at an address by a network access provider (“the digital certificate may be provided to the discovered location server by the home location server by means of a separate secure communication session between the two servers” Edge ¶ 73), wherein the request for roaming access (“The SET includes SET Token 150 in any initial SUPL message sent to the D-SLP during session establishment. SET Token 150 contains SET and H-SLP related information digitally signed by the H-SLP.” Edge ¶ 159) identifies an authoritative identity provider host name (“SET Token 150 may include the following 
receive a certificate from the identity entity; and (“the digital certificate may be provided to the discovered location server by the home location server by means of a separate secure communication session between the two servers” Edge ¶ 73)

Edge does not disclose:
determine, using the certificate, whether the identity entity is an authoritative identity provider or a proxy for an authoritative identity provider.

Hawkes discloses:
determine, using the certificate, whether the identity entity (“the first device may use the first hierarchical device certificate to show (e.g., prove) that it is authorized to perform a transaction (e.g., based on a delegated authority from the issuer of the first hierarchical device certificate). The first hierarchical device certificate may be sent to an authenticating device (e.g., verifier) to prove the first device has authority to perform a transaction within a restricted domain as defined by the first hierarchical device certificate 1010.” Hawkes ¶ 81. “A first hierarchical device certificate may then be obtained/generated that combines at least part of the first unique device identifier and the base domain name, wherein the first hierarchical device certificate is a fully qualified domain name 906.” Hawkes ¶ 75.  See also Hawkes ¶ 76) is an authoritative identity provider or a proxy for an authoritative identity provider. (“an entity or validating node 
... For each subsequent intermediate CA certificates (if any), the name constraints of the intermediate certificate are validated against the name constraints of its CA certificate of the intermediate CA certificate issuer” Hakwes ¶ 60. See also Hawkes figure 2. The certificate chain representing a plurality of proxies and the authoritative identity provider.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Edge with Hawkes by utilizing the hierarchical certificates of Hawkes as the certificates of Edge.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Edge with Hawkes in order to establish scopes of authority for certificate issuances and verification, thereby allowing CA delegation and domains of control, Hawkes ¶ 10.

As to claims 4, 11, and 18 Edge in view of Hawkes discloses the CRM/machine/method of claims 1, 8, and 15 and further discloses: 
wherein the network access provider has determined that the identity entity is the proxy for the authoritative identity provider, (i.e. determining that there exists intermediate certificates from a delegation: “an entity or validating node may apply RFC 5280 to validate a device certificate, validating each certificate in the chain, starting at the Root CA configuration and proceeding to the device certificate.

receive confirmation from the proxy for the authoritative entity provider that the device can be properly identified by the proxy for the authoritative entity provider; and (“the digital certificate may be provided to the discovered location server by the home location server by means of a separate secure communication session between the two servers” Edge ¶ 73)
grant the device roaming access to a network associated with the network access provider, when the network access provider accepts the certificate of the proxy for the authoritative entity provider and the device identification confirmation from the proxy for the authoritative entity provider. (“the client receives grant of secure communication access to the first server based on authentication of the client by the first server. The authentication may include using the client token to validate the client and using the digital signature to validate the client token.” Edge ¶ 94).

As to claims 5, 12, and 19 Edge in view of Hawkes discloses the CRM/machine/method of claims 4, 11, and 18 and further discloses: 
wherein the network access provider accepts the certificate of the proxy for the authoritative entity provider (“an entity or validating node may apply RFC 5280 to 
... For each subsequent intermediate CA certificates (if any), the name constraints of the intermediate certificate are validated against the name constraints of its CA certificate of the intermediate CA certificate issuer” Hakwes ¶ 60. See also Hawkes figure 2.)
 without requiring the authoritative identity provider host name to be listed in the certificate for the proxy for the authoritative entity provider. (Hakwes ¶ 60, the authoritative identity provider being included in the intermediate certificate and, therefore, not required in the device certificate.)

As to claims 6, 13, and 20 Edge in view of Hawkes discloses the CRM/machine/method of claims 1, 8, and 15 and further discloses: 
wherein the certificate identifies the identity entity by a hierarchical unique ID which identifies the identity entity as the authoritative identity provider or the proxy for the authoritative identity provider. (“A first hierarchical device certificate may then be obtained/generated that combines at least part of the first unique device identifier and the base domain name, wherein the first hierarchical device certificate is a fully qualified domain name 906.” Hawkes ¶ 75)

As to claims 7 and 14, Edge in view of Hawkes discloses the CRM/machine of claims 1 and 8 and further discloses: 



Claims 2, 9, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Edge et al., US 2013/0212663 (filed 2013-02), in view of Hawkes et al., US 2018/0295506 (filed 2017-04), and Mockapetris “Domain names – implementation and specification” (published 1987).
As to claims 2, 9, and 16 Edge in view of Hawkes discloses the CRM/machine/method of claims 1, 8, and 15 but does not disclose: 
wherein the instructions are further effective to cause the at least one processor to: contact a domain name system (DNS) server to resolve the authoritative identity provider host name into the address; and 
receive by the network access provider a response from the domain name system (DNS) server indicating the address.

Mockapetris discloses:
wherein the instructions are further effective to cause the at least one processor to: contact a domain name system (DNS) server to resolve the authoritative identity provider host name into the address; and (see Mockapetris  § 2.2. “the basic task of the 
receive by the network access provider a response from the domain name system (DNS) server indicating the address. (Mockapetris § 3.4.1, “address A 32 bit Internet address”)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Edge in view of Hawkes with Mockapetris by utilizing a DNS system to resolve the FQDN of Edge to an IP address (Edge ¶¶ 162-166).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Edge in view of Hawkes with Mockapetris in order to determine what address to contact for retrieval of certificates (Edge ¶ 73) when the FQDN is provided in the token from the client (Edge ¶¶ 162-166) as such an address translation is necessary when FQDNs are used. 

Claims 3, 10, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Edge et al., US 2013/0212663 (filed 2013-02), in view of Hawkes et al., US 2018/0295506 (filed 2017-04), and Metke et al., US 2010/0082975 (filed 2008-09).
As to claims 3, 10, and 17 Edge in view of Hawkes discloses the CRM/machine/method of claims 1, 8, and 15 and further discloses: 
wherein the network access provider has determined that the identity entity is the authoritative identity provider, (“The client token…. This information is digitally signed by 
…
receive confirmation from the authoritative entity provider that the device can be properly identified by the authoritative entity provider; and (“the client receives grant of secure communication access to the first server based on authentication of the client by the first server. The authentication may include using the client token to validate the client and using the digital signature to validate the client token.” Edge ¶ 94)
grant the device roaming access to a network associated with the network access provider, when the network access provider accepts the certificate of the authoritative entity provider and the device identification confirmation from the authoritative entity provider . (“the client receives grant of secure communication access to the first server based on authentication of the client by the first server. The authentication may include using the client token to validate the client and using the digital signature to validate the client token.” Edge ¶ 94)

Edge in view of Hawkes does not disclose:


Metke discloses
confirm that the authoritative identity provider host name matches data on the certificate; 
(“For each certificate, the path processing module checks: (1) the public key algorithm and parameters; (2) the current date/time against the validity period of the certificate; (3) revocation status to ensure the certificate is not revoked (e.g., by a certificate revocation list (CRL), online certificate status protocol (OCSP), or some other mechanism); (4) the issuer name to ensure that it equals the subject name of the previous certificate in the path; (5) name constraints to make sure the subject name is within the permitted subtrees list of all previous CA certificates and not within the excluded subtrees list of any previous CA certificate;” Metke ¶ 11).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Edge in view of Hawkes with Metke by verifying the SLP ID in the token of Edge in the manner known in the art to validate the issuer name (Metke).  It would have been obvious to a person of ordinary skill in the art to combine Edge in view of Hawkes with Metke in order to perform certificate and token validation utilizing known mechanisms to validate the contents of the token of Edge, thereby ensuring the trustworthiness of the client. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Hawkes et al., US 2017/0289799 discloses FQDN certificate matching performed on a client to determine whether to trust a server.
Sharaga et al., US 2013/0276085, discloses single sign on for identity providers in a roaming scenario. 
Woodward et al., US 2013/0031615, discloses WLAN roaming traffic authentication.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, 





/MICHAEL W CHAO/           Examiner, Art Unit 2492