Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the application filed on 02/13/2020; Claims 1, 9, and 17 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.
Drawings
The drawings were received on 02/13/2020.  These drawings are reviewed and accepted by the Examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3, 5, 8-9, 11, 13, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017) in view of Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015),  further in view of Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), and Carter et al. (“Carter.
Regarding claim 1, Wu teaches a method comprising: 
  receiving, by a cloud computing environment from a client, a request to access an application executing in the cloud computing environment, the request encapsulating a certificate (Wu: abstract, fig. 9. par. 0089, the IIoT machine 104 generates a certificate signing request (CSR) and provides this request to the edge manager 920 [i.e. in cloud environment]);
 encapsulating the access token in the request and forwarding the request to an authentication service (Wu: fig. 10, par. 0068, In an example embodiment, the enrollment service application 620 receives the first access token at operation 560, and then at operation 570, the enrollment service application 620 sends the same first access token [i.e. forwarding the request] to the UAA service 610 [i.e. authentication service]) which provides access to the application if there is a match of enrolling the machine (Wu: fig. 4, par. 0058, The device credential data can be configured to grant the Industrial Internet of Things (IIoT) machine 104 subsequent access to one or more cloud-based services at the IIoT cloud 106; par. 0074, …the IIoT machine 104 provides the credential data (e.g., including a client identification code and a client secret or password) to the UAA service 610 with a request for access to a specified service).
Wu discloses further discloses accepting a request device if the device identifier that matches one of the preload-loaded identifiers (Wu: par. 0087, By pre-loading device identifiers at the edge manager 920, the edge manager 920 can be pre-configured to accept a request from a device that bears or presents a device identifier that matches one of the pre-loaded identifiers) but does not explicitly disclose requesting, in response to the identification of the match, an access token.
(Bocanegra: fig. 2, par. 0023,… an HTTP request to access the protected resource, which is held by a protected resource server. The HTTP request includes a bearer token in the request header … if the client identification value matches one in the list, the bearer token is verified by the OAuth Authentication Service, which returns an access token to the third party application).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bocanegra with the method and system of Wu, wherein requesting, in response to the identification of the match, an access token for allowing the access tokens to be issued to a third party without compromising integrity of other authorization credentials while eliminating a need for the resource server to accommodate multiple different authentication schemes (Bocanegra: abstract, par. 0012).
Wu and Bocanegra do not explicitly disclose translating the certificate into an authorization graph descriptor.
However, in an analogous art, Narayanan discloses translating the certificate into an authorization graph descriptor (Narayanan: par. 0007, generating [i.e. translating] a social graph based certificate. A user certificate for a user of the user device is obtained, wherein the user is associated with a user public key and corresponding user private key; par. 0036).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Narayanan with the method and system of Wu and Bocanegra, wherein translating the certificate into an (Narayanan: abstract, pars. 0003, 0006, 0039).
The combination of Wu and Narayanan discloses translating the certificate into an authorization graph descriptor and checking a certificate to identify a match within a certificate repository (Wu: par. 0094, checking a certificate against records in the device registry 940 [i.e. certificate repository]) but does not explicitly disclose traversing a certificate authorization graph using the authorization graph descriptor to identify a match within a certificate repository.
However, in an analogous art, Carter discloses traversing graph using queries to identify a match within a repository (Carter: figs. 2-3, pars. 0029, 0034, par. 0036, queries of the graph database [i.e. repository] from the management process, search [i.e. traversing]) the data stores and/or index structures in the node for records matching the queries, and return results of the queries that contain the records to the management process);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Carter with the method and system of Wu, Bocanegra, and Narayanan, wherein traversing a certificate authorization graph using the authorization graph descriptor to identify a match within a certificate repository to improve performance and the user experience when using application, improve monitoring and isolation of resources and failures over systems that utilize multiple threads instead of multiple processes (Carter: abstract, pars. 0009, 0045, 0047).
Regarding claim 3, the combination of Wu, Bocanegra, Narayanan, and Carter teaches the method of claim 1. The combination of Wu, Bocanegra, Narayanan, and Carter further discloses wherein the request is on the Transport Level Security (TLS) layer (Wu: par. 0093, The request is made using two-way TLS to destination location at the IIoT cloud 106). 
Regarding claim 5, the combination of Wu, Bocanegra, Narayanan, and Carter teaches the method of claim 1.  Wu further teaches comprising: caching a copy of the token in a certificate authorization component (Wu: fig. 7, par. 0066, receiving a first access token at IIoT machine 104 from an authorization service application).
Regarding claim 8, the combination of Wu, Bocanegra, Narayanan, and Carter teaches the method of claim 1. The combination of Wu, Bocanegra, Narayanan, and Carter further teaches wherein the authorization graph descriptor is an abstract, hierarchical and stable authorization identifier for a single leaf node of the certificate authorization graph to be matched against authorization requirements for incoming requests (Wu: par. 0071, client or device identifier; Narayanan: par. 0007, generating [i.e. translating] a social graph based certificate. A user certificate for a user of the user device is obtained, wherein the user is associated with a user public key and corresponding user private key; par. 0036; Carter: figs. 2-3, pars. 0029, 0034; par. 0036, queries of the graph database [i.e repository] from the management process, search [i.e. traversing] the data stores and/or index structures in the node for records matching the queries, and return results of the queries that contain the records to the management process)
Regarding claim 9, claim 9 is directed to a system comprising: at least one data processor (Wu: par. 0096, processor); and memory (Wu: par. 0096, memory); storing instructions which, when executed by the at least one data processor associated with the method claimed in claim 1; claim 9 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 11, claim 11 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 13, claim 13 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 16, claim 16 is similar in scope to claims 8, and is therefore rejected under similar rationale.
Regarding claim 17, claim 17 is directed to a non-transitory computer program product storing instructions which, when executed by at least one computing device associated with the method claimed in claim 1; claim 17 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Claims 2 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017) in view of Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015), further in view of Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), and Carter et al. (“Carter,” US 2017/0212930, published Jul. 27, 2017), and BAR-EL et al. (”BAR-EL. 
Regarding claim 2, the combination of Wu, Bocanegra, Narayanan, and Carter teaches the method of claim 1.  Wu discloses certificate but does not explicitly disclose wherein the certificate is an X.509 client certificate.
However, in an analogous art, BAR-EL discloses that the certificate is an X.509 client certificate (BAR-EL: par. 0200, The Client-Cert may be a client X.509 certificate used to authenticate a user with a given User-ID to a server associated with a given Service-ID, over the TLS/SSL protocol (if supported by the service)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of BAR-EL with the method and system of Wu, Bocanegra, Narayanan, and Carter, wherein the certificate is an X.509 client certificate to provide users with means for securely handles passwords and facilitates authentication and authorization on behalf of a user in a robust and user-friendly manner (BAR-EL: abstract, par. 0081).
Regarding claim 10, claim 10 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017) in view of Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015), further in view of Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), and Carter et al. (“Carter,” US 2017/0212930, published Jul. 27, 2017), and Graefe (“Graefe,”.
Regarding claim 4, the combination of Wu, Bocanegra, Narayanan, and Carter teaches the method of claim 1.  The combination of Wu, Bocanegra, Narayanan, and Carter further discloses wherein the translating the certificate into an abstract representation (Narayanan: par. 0007, generating [i.e. translating] a social graph based certificate. A user certificate for a user of the user device is obtained, wherein the user is associated with a user public key and corresponding user private key; par. 0036) but does not explicitly disclose “constructing a runtime object as a rooted directed graph”
However, in an analogous art, Graefe discloses constructing a runtime object as a rooted directed graph (Graefe: fig. 1, par. 0013, The root node of the graph [i.e. a rooted directed graph] is usually an operation that transfers query results to the user or application program running [i.e. runtime object] the query).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Graefe with the method and system of Wu, Bocanegra, Narayanan, and Carter, wherein constructing a runtime object as a rooted directed graph to translate the certificate into an abstract representation to provide users with means for improving efficiency enable variances from the query execution plan, reducing the amount of work done to process the query and utilizing the boundaries at dynamic sequencing of operations without wasted or repeated effort to enable pause and resume functionality without wasted or repeated effort (Graefe: pars. 0001, 0010-0011).
Regarding claim 12, claim 12 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Claims 6-7 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017) in view of Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015), further in view of Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), and Carter et al. (“Carter,” US 2017/0212930, published Jul. 27, 2017), and Friedel et al. (“Friedel,” US 2012/0226998, published Sep. 6, 2012).
Regarding claim 6, the combination of Wu, Bocanegra, Narayanan, and Carter teaches the method of claim 5. The combination of Wu, Bocanegra, Narayanan, and Carter further teaches wherein the received request is enhanced with the cached copy of the token but does not explicitly disclose “proxied to an endpoint executing desired business logic.”
However, in an analogous art, Friedel discloses “proxied to an endpoint executing desired business logic (Friedel: par. 0016, The proxy connection logic acts as a proxy for the endpoint and forwards the request to the source for the media for the endpoint [i.e. desired business logic]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Friedel with the method and system of Wu, Bocanegra, Narayanan, and Carter, wherein proxied to an endpoint executing desired business logic to obviate the need for complex script execution on the endpoint, the bandwidth on the enterprise network can be saved (Friedel: par. 0022, 0080).
Regarding claim 7, the combination of Wu, Bocanegra, Narayanan, Carter, and Friedel teaches the method of claim 6. The combination of Wu, Bocanegra, Narayanan, Carter, and Friedel further teaches wherein the token comprises an abstraction of the ( Wu: par. 0068, In an example embodiment, the enrollment service application 620 receives the first access token at operation 560, and then at operation 570, the enrollment service application 620 sends the same first access token [i.e. forwarding the request to the UAA service 610 [i.e. authentication service]; Friedel: par. 0016, The proxy connection logic acts as a proxy for the endpoint and forwards the request to the source for the media for the endpoint [i.e. desired business logic]). 
Regarding claim 14, claim 14 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017) in view of Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015), further in view of Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), and Carter et al. (“Carter,” US 2017/0212930, published Jul. 27, 2017), and BAR-EL et al. (”BAR-EL” US 20130305392, published, Nov. 14, 2013). 
Regarding claim 18, the combination of Wu, Bocanegra, Narayanan, Carter teaches the non-transitory computer program product of claim 17.  Wu teaches wherein the request is on the Transport Level Security (TLS) layer (Wu: par. 0093, The request is made using two-way TLS to destination location at the IIoT cloud 106) and certificate but does not explicitly teach the certificate is an X.509 client certificate.
However, in an analogous art, BAR-EL discloses that the certificate is an X.509 client certificate (BAR-EL: par. 0200, The Client-Cert may be a client X.509 certificate used to authenticate a user with a given User-ID to a server associated with a given Service-ID, over the TLS/SSL protocol (if supported by the service)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of BAR-EL with the method and system of Wu, Bocanegra, Narayanan, Carter, wherein the certificate is an X.509 client certificate to provide users with means for securely handling passwords and facilitates authentication and authorization on behalf of a user in a robust and user-friendly manner (BAR-EL: abstract, par. 0081).
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017) in view of Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015), further in view of Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), and Carter et al. (“Carter,” US 2017/0212930, published Jul. 27, 2017), and Graefe (“Graefe,” US 2013/0054567, published Feb. 28, 2013).
Regarding claim 19, the combination of Wu, Bocanegra, Narayanan, and Carter teaches the non-transitory computer program product of claim 18. The combination of Wu, Bocanegra, Narayanan, and Carter Wu teaches caching a copy of the token in a certificate authorization component (Wu: fig. 7, par. 0066, receiving a first access token at IIoT machine 104 from an authorization service application, wherein operation further comprising the translating “the certificate into an abstract representation” (Narayanan: par. 0007, generating [i.e. translating] a social graph based certificate. A user certificate for a user of the user device is obtained, wherein the user is associated with a user public key and corresponding user private key; par. 0036) but does not explicitly disclose “constructing a runtime object as a rooted directed graph.”
However, in an analogous art, Graefe discloses constructing a runtime object as a rooted directed graph (Graefe: fig. 1, par. 0013, The root node of the graph [i.e. a rooted directed graph] is usually an operation that transfers query results to the user or application program running [i.e. runtime object] the query).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Graefe with the method and system of Wu, Bocanegra, Narayanan, and Carter, wherein constructing a runtime object as a rooted directed graph to provide users with means improving efficiency enable variances from the query execution plan, reducing the amount of work done to process the query and utilizing the boundaries at dynamic sequencing of operations without wasted or repeated effort to enable pause and resume functionality without wasted or repeated effort (Graefe: pars. 0001, 0010-0011).
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Wu et al. (“Wu,” US 2017/0195332, published Jul. 6, 2017) in view of Bocanegra et al (“Bocanegra,” US 2015/0150109, published May 28, 2015), further in view of Narayanan et al. (“Narayanan,” US 2012/0278625, published Nov. 1, 2012), and Carter et al. (“Carter,” US 2017/0212930, published Jul. 27, 2017), and Graefe (“Graefe,” US 2013/0054567, Friedel,” US 2012/0226998, published Sep. 6, 2012).
Regarding claim 20, the combination of Wu, Bocanegra, Narayanan, Carter, and Graefe teaches the non-transitory computer program product of claim 19.  Wu further teaches wherein the received request is enhanced with the cached copy (Wu: fig. 7, par. 0066, receiving a first access token at IIoT machine 104 from an authorization service application) but does not explicitly disclose proxied to an endpoint executing desired business logic.”
However, in an analogous art, Friedel discloses “proxied to an endpoint executing desired business logic (Friedel: par. 0016, The proxy connection logic acts as a proxy for the endpoint and forwards the request to the source for the media for the endpoint [i.e. desired business logic]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Friedel with the method and system of Wu, Bocanegra, Narayanan, Carter, and Graefe, wherein proxied to an endpoint executing desired business logic to provide users with means for wherein proxied to an endpoint executing desired business logic to obviate the need for complex script execution on the endpoint, the bandwidth on the enterprise network can be saved (Friedel: par. 0022, 0080).



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439

February 6th, 2022

/JAHANGIR KABIR/Primary Examiner, Art Unit 2439