DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the amendment dated on 12/06/2021.
Claims 1-2, 5-8, 11-16 and 19-20 have been amended, Claims 9 and 17 have been canceled and all other Claims have been previously presented. 
Claims 1-8, 10-16 and 18-20 are submitted for examination.
Claims 1-8, 10-16 and 18-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Priority
This application filed on October 28, 2019 claims priority of parent application 15/351,255 filed on November 14, 2016.

Response to Arguments
Applicant’s amendment, filed on December 06, 2021 has claims 1-2, 5-8, 11-16 and 19-20 amended, claims 9 and 17 canceled and all other Claims have been previously presented.
The prior 35 U.S.C. 112(b) rejection of Claims 1, 5, 13 and 20 has been withdrawn in view of the amendment received on December 06, 2021.
The prior 35 U.S.C. 112(b) rejection of Claims 9 and 17 has been withdrawn in view of the amendment received on December 06, 2021.
Applicant’s remark, filed on December 06, 21 on the middle of page regarding, “The cited portions of Brand, whether or not considered in context of the disclosure of Brand at large, fail to disclose these features. More broadly, the cited portions of Brand do not appear to teach deletion of key material whatsoever” has been considered and found persuasive however applicant’s amendment necessitate a new ground of rejection, accordingly newly cited art by Robert Ziegler (WIPO PUB. # WO 2006/039364) discloses,  the HSM interface 110 smart and magnetic card reader 115 may provide a secure and verifiable erasure feature to insure no residual keying material exists after keys have been injected or keying material has been discarded. This may be implemented as a procedure that requires erasure of the material be performed and verified to substantive level. The card reader and writer 115 may support both EMV for smart card support, debit cards, credit cards, and ATM cards. (¶28). The HSM interface 1513 smart and magnetic card reader 1515 may provide a secure and verifiable erasure feature to insure no residual keying material exists after keys have been injected or keying material has been discarded. This may be implemented as a procedure that requires erasure of the material be performed and verified to substantive level. The card reader and writer 1115 may support both EMV for smart card support, debit cards, credit cards, and ATM cards. (¶110). Thus Ziegler clearly teaching discarding key material after the keys have been injected. Examiner submits that once the keys are 
Applicant’s remark filed on December 06, 2021 on top of page 12 regarding, “Applicant respectfully submits that the proposed combination of Brand in view of Hamid does not teach such subject matter as recited in amended claim 1” has been considered and found persuasive. Please see above paragraph 11 that clearly indicates how newly cited prior art Ziegler clearly teaches the newly amended claim recitation.
Applicant further recites similar remarks as listed above for independent claims, 5 and 13. Please see response for remarks in above paragraph 11 that clearly shows how the newly cited prior art Ziegler clearly teaches the claimed limitations.
Applicant further recites similar remarks as listed above for dependent claims, 42-4, 6-8, 10-12, 14-16 and 18-20. Please see response for remarks in above paragraph 11 that clearly shows how the cited prior arts Brand, Hamid, Ziegler, Fitzgerald and Baldwin clearly teaches the claimed limitations.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3-5, 7, 12-13, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Brand et al. (US PGPUB. # US 2013/0132717, hereinafter “Brand”), and further in view of Laurence Hamid (US PGPUB. # US 2013/0219164, hereinafter “Hamid”), and further in view of Robert Ziegler (WIPO PUB. # WO 2006/039364, hereinafter “Ziegler”).

Referring to Claims 1, 5 and 13:
Regarding Claim 1, Brand teaches,
A computer-implemented method performed by a hardware security module, comprising: 
obtaining, from a requestor, a request to establish a cryptographically protected communication session, the request including a digital certificate (¶39, “The first time the user side software application requires encryption or unique user identification, it established that there is no digital user certificate (17) currently installed on the mobile phone (5). At this point, the application automatically connects to an online server of the certificate authority (11) ("CA") and attempts to request a digital user certificate (17) from the server (11)”, ¶14, “the server side software application utilizes a server side encryption module provided by the certificate authority and is configured to request and receive the user certificate from the mobile handset”, ¶23, “for encrypting communications between the mobile handset and the application server over the communication channel”; ¶45, “Each time the mobile handset (5) connects to an application server (9), it will start a certificate exchange process, whereby its certificate (17) is sent to the server (9), “, i.e. mobile device (client) certificate is obtained by the server for an encrypted (cryptographically protected) communication) 
verifying, using at least a part of a plurality of public keys, the digital certificate (¶15, “upon successful validation of the user certificate by the server side software application”, ¶45, “Knowledge of the CA public key (29) may, however, be sufficient to enable validation of the respective certificates to be conducted.”, i.e. the digital certificate is verified using a public key); establishing the cryptographically protected communication session with the requestor, the cryptographically protected communication session involving a shared secret between the requestor [and the hardware security module] (¶23, “for encrypting communications between the mobile handset and the application server over the communication channel”, ¶46, “The handset (5) and server (9) can now share encryption keys (25) by means of which further encrypting of their communications may be done. The shared encryption keys (25) are typically symmetrical encryption keys”, i.e. encrypted communication is established using symmetric key (shared key)); 
obtaining encrypted data via the cryptographically protected communication session (“encrypting communications between the mobile handset and the application server over the communication channel is provided”, ¶15, “the encryption keys being useful for further data encryption between the mobile handset and the application server”, ¶23, ¶27, ¶43, ¶45, Claim 16, i.e. encrypted data is obtained); and 
decrypting, [using a fleet transfer key], the encrypted data, the fleet transfer key being obtained based at least in part on the shared secret (¶40, “sharing symmetrical encryption keys (25) with the application server (9)”, “decrypt the signature and verify that it was signed by the CA private key (27) and is accordingly authentic, ¶45, “server side applications will therefore use the CA public key (29) to decrypt the signed certificates (17, 45)”, Claim 28, “decrypting data communicated to and from the mobile handset by means of the encryption keys”, i.e. received encrypted data is decrypted).
Brand does not teach explicitly,
obtaining an indication for the hardware security module  to join a hardware security module fleet; 
removing, from the hardware security module, unexpected key material found within the hardware security module;
[establishing the cryptographically protected communication session with the requestor, the cryptographically protected communication session involving a shared secret between the requestor] and the hardware security module;
[decrypting], using a fleet transfer key [the encrypted data, the fleet transfer key being obtained based at least in part on the shared secret].
However, Hamid teaches,
obtaining an indication for the hardware security module to join a hardware security module fleet (Fig. 9, ¶67, “when a new user 902 is added to the organization, the organizational network 920 can assign a new HSM module 952 to that new user 902”, i.e. a new HSM is added to the HSM fleet indicates that an indication for the hardware security module is received to join HSM fleet); 
[establishing the cryptographically protected communication session with the requestor, the cryptographically protected communication session involving a shared secret between the requestor] and the hardware security module; (Fig. 5(525, 530), ¶38, “a secure connection can be established between a user device, and the cloud hosted HSM, e.g., at 525. The HSM can include keys used to decrypt the user's data, and can act as the sole facilitator of accessing that data, e.g., at 530”, i.e. a secure session (cryptographically protected communication) between a user (requester) and a hardware security module). 
[decrypting], using a fleet transfer key (¶6, “the data can only be decrypted with keys stored on the associated hardware security module”, ¶38, “The HSM can include keys used to decrypt the user's data”, i.e. key stored on HSM is considered as fleet transfer key), [the encrypted data, the fleet transfer key being obtained based at least in part on the shared secret]
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.

Brand teaches, authenticating a certificate and establishing an encrypted communication between a client and s server. Hamid teaches, receiving a request to create a Hardware Security Module (HSM) to add to the fleet of HSMs. Therefore, it would have been obvious to create a Hardware Security Module (HSM) to add to the fleet of HSMs of Hamid with authenticating a certificate and establishing an encrypted communication between a client and s server of Brand to store the encryptions keys in hardware security modules to avoid an attack on the encryption keys. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Brand and Hamid does not teach explicitly,
removing, from the hardware security module, unexpected key material found within the hardware security module;
However, Ziegler teaches,
removing, from the hardware security module, unexpected key material found within the hardware security module; (¶28, “The HSM interface 110 smart and magnetic card reader 115 may provide a secure and verifiable erasure feature to insure no residual keying material exists after keys have been injected or keying material has been discarded”, ¶110¸ The HSM interface 1513 smart and magnetic card reader 1515 may provide a secure and verifiable erasure feature to insure no residual keying material exists after keys have been injected or keying material has been discarded”, i.e. Examiner submits that once the keys are injected, keying material is considered as unexpected key material which is being discarded).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Ziegler with the invention of Brand in view of Hamid.
Brand in view of Hamid teaches, authenticating a certificate and establishing an encrypted communication between a client and s server and receiving a request to create a Hardware Security Module (HSM) to add to the fleet of HSMs. Ziegler teaches, removing keying material from the HSM after keys have been injected. Therefore, it would have been obvious to removing keying material from the HSM after keys have been injected of Ziegler into the teachings of Brand in view of Hamid to avoid an attacker to access the key material and to also avoid corrupting new keys from old key material. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 5, it is a system Claim of above method Claim 1 and therefore Claim 5 is rejected with the same rationale as applied against Claim 1 above.

Regarding Claim 13, it is a non-transitory computer-readable storage medium Claim of above method Claim 1 and therefore Claim 13 is rejected with the same rationale as applied against Claim 1 above.

Referring to Claim 3, 12 and 20:
Regarding Claim 3, rejection of Claim 1 is included and for the same motivation Brand does not teach explicitly,
The method of claim 1, further comprises: 
detecting an indication to leave the hardware security module fleet; and 
as a result of detecting the indication to leave the hardware security module fleet, erasing at least the fleet transfer key and cryptographic material associated with the hardware security module fleet.
However, Hamid teaches,
The method of claim 1, further comprises: 
detecting an indication to leave the hardware security module fleet (Fig. 9, ¶67, “when a user 902 is separated from the organization”, i.e. an indication is detected to leave the hardware security module fleet); and 
as a result of detecting the indication to leave the hardware security module fleet, erasing at least the fleet transfer key and cryptographic material associated with the hardware security module fleet (Fig. 1, ¶35, “the Cloud HSMs 120 as secure key stores”, ¶67, “the organizational network 920 can remove the security settings and capabilities associated to the HSM module 952”,i.e. cryptographic key are removed).
Regarding Claim 12, rejection of Claim 7 is included and Claim 12 is rejected with the same rationale as applied against Claim 3 above.

In addition Hamid teaches, Client public key (Fig. 1 (195), ¶35, “unlock the use of the encryption key and the keys (e.g., 190, 195, or other public or private keys)”).

Regarding Claim 20, rejection of Claim 15 is included and Claim 20 is rejected with the same rationale as applied against Claim 3 above.

In addition Hamid teaches, Client public key (Fig. 1 (195), ¶35, “unlock the use of the encryption key and the keys (e.g., 190, 195, or other public or private keys)”).

Regarding Claim 4, rejection of Claim 1 is included and for the same motivation Brand teaches,
The method of claim 1, wherein the digital certificate is a X.509 certificate (¶16, “the digital user certificate and the digital server certificate to be X.509 certificates”).

Referring to Claim 7 and 15:
Regarding Claim 7, rejection of Claim 5 is included and for the same motivation Brand teaches,
The system of claim 5, wherein the data includes a client application public key usable to establish an additional cryptographically protected communication session with a client (¶46, “The handset (5) and server (9) can now share encryption keys (25) by means of which further encrypting of their communications may be done. The shared encryption keys (25) are typically symmetrical encryption keys. It should be appreciated that, after the certificate exchange, the handset (5) will be in possession of the application server public key (47) and the application server (9) will be in possession of the handset public key (33)”, i.e. handset public key (client public key) is used to establish an additional cryptographic communication session).

Regarding Claim 15, rejection of Claim 13 is included and Claim 15 is rejected with the same rationale as applied against Claim 7 above.

Claims 8, 10-11, 16 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Brand et al. (US PGPUB. # US 2013/0132717, hereinafter “Brand”), and further in view of Laurence Hamid (US PGPUB. # US 2013/0219164, hereinafter “Hamid”), and further in view of Robert Ziegler (WIPO PUB. # WO 2006/039364, hereinafter “Ziegler”). and further in view of Fitzgerald et al. (US PGPUB. # US 2014/0282936, hereinafter “Fitzgerald”).

Referring to Claim 8 and 16:
Regarding Claim 8, rejection of Claim 5 is included and combination of Brand, Hamid and Ziegler does not teach explicitly,
The system of claim 5, wherein the data includes a network address associated with a particular hardware security module provided with access to the fleet transfer key.
However, Fitzgerald teaches,
The system of claim 5, wherein the data includes a network address associated with a particular hardware security module provided with access to the fleet transfer key (Fig. 1(112), ¶27,” the computing resource provider may configure appropriate computing resources so that the customer is able to communicate with the HSM 112 as if the HSM was in the customer's own network. For instance, requests to the HSM 112 may be addressed to an IP address for the HSM that is part of the customer's own IP space (e.g., a public IP address that the customer owns or controls or a private IP address of the customer)“, Fig. 3(328), ¶47, i.e. network address is associated with particular hardware security module) .
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Fitzgerald with the invention of Brand in view of Hamid and Ziegler.
Brand in view of Hamid and Ziegler teaches, authenticating a certificate and establishing an encrypted communication between a client and s server and receiving a KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Regarding Claim 16, rejection of Claim 13 is included and Claim 16 is rejected with the same rationale as applied against Claim 8 above.

Referring to Claim 10 and 18:
Regarding Claim 10, rejection of Claim 5 is included and combination of Brand, Hamid and Ziegler does not teach explicitly,
The system of claim 5, the data includes information regarding one or more communication sessions between the client and a virtual HSM of the hardware security module fleet.
However, Fitzgerald teaches,
The system of claim 5, the data includes information regarding one or more communication sessions between the client and a virtual HSM of the hardware security module fleet (Fig. 7, ¶67-¶68. i.e. data includes information regarding one or more communication between client and a HSM).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Fitzgerald with the invention of Brand in view of Hamid and Ziegler.
Brand in view of Hamid and Ziegler teaches, authenticating a certificate and establishing an encrypted communication between a client and s server and receiving a request to create a Hardware Security Module (HSM) to add to the fleet of HSMs and removing keying material from the HSM after keys have been injected.. Fitzgerald teaches, a network address associated with a particular hardware security module. Therefore, it would have been obvious to have a network address associated with a particular hardware security module of Fitzgerald into the teachings of Brand in view of Hamid and Ziegler to assign a hardware security module to a particular customer for storing cryptographic material including keys securely.  KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Regarding Claim 18, rejection of Claim 13 is included and Claim 18 is rejected with the same rationale as applied against Claim 10 above.

Referring to Claim 11 and 19:
Regarding Claim 11, rejection of Claim 5 is included and combination of Brand, Hamid and Ziegler does not teach explicitly,
The system of claim 5, wherein the requestor comprises a second hardware security module.
However, Fitzgerald teaches,
The system of claim 5, wherein the requestor comprises a second hardware security module (Fig. 2(216, 238), ¶36, “the environment 200 includes a computing resource provider (CRP) HSM 238. The CRP HSM 238, as with the customer HSM 216, may be a physical HSM device”, i.e. first HSM and second HSM).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Fitzgerald with the invention of Brand in view of Hamid and Ziegler.
Brand in view of Hamid and Ziegler teaches, authenticating a certificate and establishing an encrypted communication between a client and s server and receiving a request to create a Hardware Security Module (HSM) to add to the fleet of HSMs and removing keying material from the HSM after keys have been injected. Fitzgerald teaches, a network address associated with a particular hardware security module. Therefore, it would have been obvious to have a network address associated with a particular hardware security module of Fitzgerald into the teachings of Brand in view of Hamid and Ziegler to assign a hardware security module to a particular customer for storing cryptographic material including keys securely.   KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).
Regarding Claim 19, rejection of Claim 13 is included and Claim 19 is rejected with the same rationale as applied against Claim 11 above.

Claims 2, 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Brand et al. (US PGPUB. # US 2013/0132717, hereinafter “Brand”), and further in view of Laurence Hamid (US PGPUB. # US 2013/0219164, hereinafter “Hamid”), and further in view of Robert Ziegler (WIPO PUB. # WO 2006/039364, hereinafter “Ziegler”), and further in view of Adrian Baldwin (US PGPUB. # US 2005/0005161, hereinafter “Baldwin”).

Referring to Claim 2, 6 and 14:
Regarding Claim 2, rejection of Claim 1 is included and combination of Brand and Hamid does not teach explicitly,
The method of claim 1, wherein: the plurality of public keys comprise a service provider public key and a manufacturer public key; 
the unexpected key material excludes the service provider public key and the manufacturer public key; and 
verifying the digital certificate comprises establishing a first chain of trust to a service certificate authority based at least in part on the service provider public key and establish a second chain of trust to a manufacturer certificate authority based at least in part on the manufacturer public key.
However, Ziegler teaches,
the unexpected key material excludes the service provider public key and the manufacturer public key; (¶43, “The HSM 114 encrypts the PIN in step 238. The HSM 114 generates a PIN block using the encrypted PIN and transaction data in step 240. The HSM 114 sends the PIN block to the HSM interface 110 in step 242. The HSM interface 110 generates a transaction request including the PIN block in step 244 and sends the transaction request to the ATM Network 118.”, ¶62, “The HSM 114 encrypts the PIN using an inj ected key-encryption-key at function block 348. The HSM 114 may encrypt .sup."the PIN using any of a variety of encryption techniques, hi accordance with the preferred embodiment, the encryption is performed using a dual-controlled, split-knowledge key, which has been injected into the HSM 114 using a smart card 116. The HSM 114 then generates a PIN block using the encrypted PBSf at function block 350”, i.e. key material excludes service provider public key and manufacturer public key).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Ziegler with the invention of Brand in view of Hamid.
Brand in view of Hamid teaches, authenticating a certificate and establishing an encrypted communication between a client and s server and receiving a request to create a Hardware Security Module (HSM) to add to the fleet of HSMs. Ziegler teaches, removing keying material from the HSM after keys have been injected. Therefore, it KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82.
Combination of Brand, Hamid and Ziegler does not teach explicitly,
The method of claim 1, wherein: the plurality of public keys comprise a service provider public key and a manufacturer public key; 
verifying the digital certificate comprises establishing a first chain of trust to a service certificate authority based at least in part on the service provider public key and establish a second chain of trust to a manufacturer certificate authority based at least in part on the manufacturer public key.
However, Baldwin teaches,
The method of claim 1, wherein: the plurality of public keys comprise a service provider public key (¶57, “These can be regarded as service keys for the relevant service provision and are referred to as the generated public/private key pair (and generated public and private keys respectively)”, i.e. service provider public key) and a manufacturer public key (¶37, “The public/private key pair is specific to the particular SPE 10 and is referred to as the permanent public/private key pair (and permanent public and private keys respectively).¶39,”, i.e. manufacturer public key); and 
verifying the digital certificate comprises establishing a first chain of trust to a service certificate authority based at least in part on the service provider public key and establish a second chain of trust to a manufacturer certificate authority based at least in part on the manufacturer public key (Fig. 8, ¶82, “A user of the service run on computer node 8 may be able to inspect this certificate, from which they can see two chains of trust--a chain of trust to the service provider SP, and a chain of trust to the SPE manufacturer, both of these chains can be verified by use of the requisite public keys”, i.e. certificate is verified based on chain of trust to a service certificate authority and manufacturer certificate authority).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Baldwin with the invention of Brand in view of Hamid and Ziegler.
Brand in view of Hamid and Ziegler teaches, authenticating a certificate and establishing an encrypted communication between a client and s server and receiving a request to create a Hardware Security Module (HSM) to add to the fleet of HSMs and removing keying material from the HSM after keys have been injected. Baldwin teaches, verifying digital certificate via a chain of trust to a service certificate authority and manufacturer certificate authority. Therefore, it would have been obvious to have verifying digital certificate via a chain of trust to a service certificate authority and manufacturer certificate authority of Baldwin into the teachings of Brand in view of Hamid and Ziegler to authenticate device and the service provider by utilizing their public keys. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).
Regarding Claim 6, rejection of Claim 5 is included and Claim 6 is rejected with the same rationale as applied against Claim 2 above.

Regarding Claim 14, rejection of Claim 13 is included and Claim 14 is rejected with the same rationale as applied against Claim 2 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
	Srivastav et al. (US PGPUB. # US 2017/0222981) discloses, a system including a controller and a pool of computing resources to run virtual machines are configured to automatically provision each virtual machine with unique cryptographic constructs. The controller receives a request to instantiate a virtual machine based on an image/template. The controller determines an authentication credential for a registration authority that the virtual machine will use. The controller determines the computing resources to run the virtual machine, and instructs the computing resources to boot the virtual machine. The controller passes the authentication credential to the virtual machine. After receiving the authentication credential, the virtual machine authenticates the registration authority and sends a request for the cryptographic constructs. The virtual machine securely receives the cryptographic constructs from the registration authority, enabling the virtual machine to securely communicate with other computing entities.
Yerra et al. (US PGPUB. # US 2014/0095865) disclose, techniques are described to authenticate the identity of a proxy in a client-proxy-server configuration. The configuration may have a client-side and a server-side SSL session. In the server-side session, if the proxy has access to the private keys of the client, the proxy may select a client certificate from a collection of client certificates and send the selected certificate to the server to satisfy a client authentication request of the server. If the proxy does not have access to the private keys, the proxy may instead send an emulated client certificate to the server. Further, the client certificate received from the client may be embedded within the emulated client certificate so as to allow the server to directly authenticate the client, in addition to the proxy. An emulated client certificate chain may be formed instead of an emulated client certificate. Similar techniques may be applied to the client-side session.
	Seaborn et al. (US PGPUB. # US 2015/0134953) disclose, a HSM service controller receives an administrative request to enable a cloud-based application to have access to a cloud-based HSM service. The HSM service controller segments a cloud-based HSM into a plurality of VHSMs. The HSM service controller allocates to the cloud-based application, a source VHSM from among the plurality of VHSMs. The source VHSM includes an initial set of credentials, roles and/or metadata. The HSM service controller stores a handle for the source VHSM in association with a handle for the cloud-based application. The HSM service controller routes cryptography requests between the cloud-based application and the VHSM based on the handle for the source VHSM and the handle for the cloud-based application. The HSM service controller 
	Zeev Lieber (US PGPUB. # US 2012/0210124) disclose, a current version certificate is stored that includes a corresponding current version identifier. A current instance certificate is received from the certificate authority, wherein the current instance certificate includes the current version identifier of the current version certificate and a current instance public key corresponding to the current instance private key. The current instance certificate is sent to a local station, during a registration with the local station. A request for video content is generated and sent to the local station. First encrypted data is received from the local station, wherein the first encrypted data includes a content key that is encrypted via the current instance public key. Second encrypted data is received from the local station, wherein the second encrypted data includes the video content that is encrypted via the content key. 
	Chen et al. (US PGPUB. # US 2010/0161998) discloses, operatively associating a signing key with a software component of a computing platform. The computing platform includes a trusted device and on start-up first loads a set of software components with each component being measured prior to loading and a corresponding integrity metric recorded in registers of the trusted device. The system stores a key-related item in secure persistent storage, the key-related item being either the signing key or authorisation data for its use. The trusted device is arranged to enable a component of the software-component set to obtain the key-related item, this enabling only occurring when the current register values correspond to values only present prior to loading of components additional to those of the software-component set. Certificate .  
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARSHAN I DHRUV/          Primary Examiner, Art Unit 2498