3DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
1. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
2. 	Claims 1-15 are objected to because of the following informalities:  
All the above claims recite comma after each clause. There should be semicolons.
 Appropriate correction is required.

Claim Rejections - 35 USC § 103
3. 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


4. 	Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1) in view of Sugiura (JP 2003244134 A).

5. 	Regarding Claim 1, Hang discloses, 
Hang does not explicitly disclose the following limitations that Sugiura teaches:
an authentication system of a first organization that a first user belongs to, the authentication system comprising: first processing circuitry to issue a registration transaction for a client certificate of the first user before the first user accesses a service of another organization from a user terminal of a first organization (Sugiura, [0022], each unit of the authentication system according to the embodiment of the present invention is divided into a user-side organization 10 and an information-provider organization 20, and includes a client-side device. The authentication server 31 is communicably connected to a certificate authority. [0023], The client-device 11 is a personal computer in which an information access software such as a web browser is installed. The authentication cooperation server 21 relays access from the client side device 11 to the information providing server 22, and when an unauthorized access person accesses the client side device 11.); and second processing circuitry to receive a hello message from another Hang, [0095], the encryption subprocess sends a client hello message to the network server, wherein the client hello message includes first encrypted data of the browser client, and the first encrypted data include a plurality of protocol version numbers. Second, the network server feeds a server hello message back to the encryption subprocess, wherein the server hello message includes second encrypted data of the server client, and the second encrypted data include a protocol version number selected from the first encrypted data. It should be noted that the client hello message and the server hello message are employed to determine the secure transmission capability of both parties, [0056], the browser client may also send, to the network server, a client key exchange message (ClientKeyExchange), a client hello done message (ClientHelloDone) and other handshake messages required for key exchange and signature authentication,), wherein said another organization system accepts the registration transaction for the client certificate of the first user, registers the client certificate of the first user in a client certificate Hang, [0053], The browser client sends a client hello message (ClientHello) to the network server, and the network server feeds back a server hello message (SeverHello) to the browser client to negotiate on the encrypted data.  [0054], Next, the network server sends a server certificate message (SeverCertificate) to the browser client. Because the two-way authentication is needed, the network server sends, in sequence, a certificate authentication request message (SeverRequest), a server key exchange message (SeverKeyExchange) and a server hello done message (SeverHelloDone) to the browser client. The certificate authentication request message is used for indicating certificate authentication of the client.), and if the signature message is correct, decides that the first user is a legitimate user (Hang, [0136], the client is a legitimate holder. In this embodiment, after inserting the USBKey, the user is reminded to enter a protection password, wherein the protection password is carried in the message to verify whether the user is legitimate).

6. 	Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1) and Sugiura (JP 2003244134 A) in view of Ebrahimi (US 2016/0328713 A).

7. 	Regarding Claim 2, Hang, Sugiura and Ebrahimi disclose, the authentication system according to claim 1, 
Hang and Sugiura does not explicitly disclose the following limitations that Ebrahimi teaches:
wherein said another organization system acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct(Ebrahimi, [0046], And the decrypted transaction number 232 might be used by a user accessible interface 280 (e.g., a GUI) to access the public storage facility 228 (e.g., the block chain) and retrieve the signed hash value and public key of the user. The retrieved signed hash value, the generated hash value, and the retrieved or obtained public key might then be input to verifying logic 273 for verification (e.g., through a “verify” function call to an RSA algorithm), which outputs a “true” value if the two hash values are the same and the public key is associated with the signature. [0028], by writing data to a public storage facility that implements a public block chain, later verification of that data is practically ensured to be correct ).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include an organization system for a client using the public key from the client wherein the certificate decrypts the signature message and verifies the signature is correct to enhance security features.

8. 	Claim 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1) and Sugiura (JP 2003244134 A) in view of Georgiadis (US 2018/0137512 A1).

9. 	Regarding Claim 3, Hang, Sugiura and Georgiadis disclose, the authentication system according to claim 1, 
Hang and Sugiura does not explicitly disclose the following limitations that Georgiadis teaches:
wherein the first processing circuitry issues a registration transaction for a certificate authority certificate of the first organization, and wherein said another organization system accepts the registration transaction for the certificate authority certificate of the first organization (Georgiadis, [0294], Validating organization 1004 (or verification system 108) checks the evidence received by principal 1002 (or one of user or user device 102) and certifies (i) the accuracy of the provided information and (ii) the fact that the provided information is linked with principal 1002 (or one of user or user device 102). The certification manifests in the form of a blockchain transaction that is initiated from validating organization), 
Hang and Sugiura does not explicitly disclose the following limitations that Georgiadis teaches:
registers the certificate authority certificate of the first organization in a certificate authority certificate blockchain, verifies the client certificate of the first user, when the registration transaction for the client certificate of the first user is accepted, using the certificate authority certificate of the first organization in the certificate authority certificate blockchain, and if the client certificate of the first user is correct, registers the client certificate of the first user in the client certificate blockchain (Georgiadis, [0009], Centralization of information and ownership through certificates creates a single point of vulnerability. Certificate hierarchies are used as proof that an authority has reviewed and verified that the metadata in a given certificate is accurate. The metadata in the certificate is signed with the private key of a certificate authority (CA). The CA's public key comes preinstalled in all popular browsers. There are currently around 1200 formal CAs. The same mechanism applies to client certificates where the owner of the certificate proves her identity to an authentication/authorization system that provides access to a set of services. [0295], Validating organization 1004 (or verification system 108) signs the transactions with its address private key. The correctness of the signature can be verified, as the accompanying blockchain address is public. Once the transaction is included into a block, the transaction's signature is used in the block's header and the block header becomes part of the signature of subsequent blocks.).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the CA organization of the registration when the acceptance occurs using the CA and authorizes the blockchain and registers the client certificate to enhance security.

10. 	Regarding Claim 4, Hang, Sugiura and Georgiadis disclose, the authentication system according to claim 3, 
Hang and Sugiura does not explicitly disclose the following limitations that Georgiadis teaches:
wherein the authentication system comprises third processing circuitry to generate a signature using a certificate authority private key of the first organization, and to generate the client certificate of the first user to include the generated signature(Georgiadis, [0294], Validating organization 1004 (or verification system 108) checks the evidence received by principal 1002 (or one of user or user device 102) and certifies (i) the accuracy of the provided information and (ii) the fact that the provided information is linked with principal 1002 (or one of user or user device 102). The certification manifests in the form of a blockchain transaction that is initiated from validating organization), 
Hang and Sugiura does not explicitly disclose the following limitations that Georgiadis teaches:

and wherein said another organization system acquires a certificate authority public key of the first organization from the certificate authority certificate of the first organization when the registration transaction for the client certificate of the first user is accepted, verifies the signature using the certificate authority public key of the first organization, and if the signature is correct, decides that the client certificate of the first user is correct (Georgiadis, [0009], Centralization of information and ownership through certificates creates a single point of vulnerability. Certificate hierarchies are used as proof that an authority has reviewed and verified that the metadata in a given certificate is accurate. The metadata in the certificate is signed with the private key of a certificate authority (CA). The CA's public key comes preinstalled in all popular browsers. There are currently around 1200 formal CAs. The same mechanism applies to client certificates where the owner of the certificate proves her identity to an authentication/authorization system that provides access to a set of services. [0295], Validating organization 1004 (or verification system 108) signs the transactions with its address private key. The correctness of the signature can be verified, as the accompanying blockchain address is public. Once the transaction is included into a block, the transaction's signature is used in the block's header and the block header becomes part of the signature of subsequent blocks.).

11. 	Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1), Sugiura (JP 2003244134 A) and Abdulrahiman (WO 2018/160863 A1) in view of Thakore (US 2018/0278427 A1).

12. 	Regarding Claim 5, Hang, Sugiura, Abdulrahiman and Thakore disclose, the authentication system according to claim 1, 
Hang and Sugiura does not explicitly disclose the following limitations that Abdulrahiman teaches:
wherein when the first user logs out, the first processing circuitry issues a revocation transaction for the client certificate of the first user (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit), [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner), 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to issue of the revocation transaction of the circuit  when the user logs out the system and provides the client certificate to enhance security.
Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
and wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT. ), 
Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
and if the client certificate of the first user is not registered in the revocation list blockchain, sends the hello message to the authentication system (Thakore, [0032], The CA receives OCSP request messages from the ecosystem participants and confirms the revocation status of a corresponding certificate (e.g., stored in the trusted database of the CA), and the OCSP responder of the CA transmits an OCSP response message indicating the revocation status (e.g., “valid,” “revoked,” “unknown,” etc., or an error message if the request message may not be processed). [0041], In an exemplary embodiment of step S150, the query of blockchain 108 determines that ENT-E 114 has not registered, or is not tied to, the certificate (or CA) in blockchain 108).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the revocation transaction of the certificate from the terminal of the registered blockchain to enhance security features. 

13. 	Regarding Claim 6, Hang, Sugiura, Abdulrahiman and Thakore disclose, the authentication system according to claim 2, 
Hang and Sugiura does not explicitly disclose the following limitations that Abdulrahiman teaches:
wherein when the first user logs out, the first processing circuitry issues a revocation transaction for the client certificate of the first user (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit), [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner), 
Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
and wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT.), 
Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
and if the client certificate of the first user is not registered in the revocation list blockchain, sends the hello message to the authentication system (Thakore, [0032], The CA receives OCSP request messages from the ecosystem participants and confirms the revocation status of a corresponding certificate (e.g., stored in the trusted database of the CA), and the OCSP responder of the CA transmits an OCSP response message indicating the revocation status (e.g., “valid,” “revoked,” “unknown,” etc., or an error message if the request message may not be processed). [0041], In an exemplary embodiment of step S150, the query of blockchain 108 determines that ENT-E 114 has not registered, or is not tied to, the certificate (or CA) in blockchain 108).

14. 	Claim 7-8 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1), Sugiura (JP 2003244134 A), Georgiadis (US 2018/0137512 A1) and Abdulrahiman (WO 2018/160863 A1) in view of Thakore (US 2018/0278427 A1).

15. 	Regarding Claim 7, Hang, Sugiura, Georgiadis, Abdulrahiman and Thakora disclose, the authentication system according to claim 3,
Hang, Sugiura and Georgiadis does not explicitly disclose the following limitations that Abdulrahiman teaches: 
wherein when the first user logs out, the first processing circuitry issues a revocation transaction for the client certificate of the first user (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit), [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner), 
Hang, Sugiura, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches: 
and wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT.), 
Hang, Sugiura, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches: 

and if the client certificate of the first user is not registered in the revocation list blockchain, sends the hello message to the authentication system (Thakore, [0032], The CA receives OCSP request messages from the ecosystem participants and confirms the revocation status of a corresponding certificate (e.g., stored in the trusted database of the CA), and the OCSP responder of the CA transmits an OCSP response message indicating the revocation status (e.g., “valid,” “revoked,” “unknown,” etc., or an error message if the request message may not be processed). [0041], In an exemplary embodiment of step S150, the query of blockchain 108 determines that ENT-E 114 has not registered, or is not tied to, the certificate (or CA) in blockchain 108).

16. 	Regarding Claim 8, Hang, Sugiura, Georgiadis, Abdulrahiman and Thakora disclose, the authentication system according to claim 4, 
Hang, Sugiura and Georgiadis does not explicitly disclose the following limitations that Abdulrahiman teaches: 
wherein when the first user logs out, the first processing circuitry issues a revocation transaction for the client certificate of the first user (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit), [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner), 
Hang, Sugiura, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches: 
and wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT.), 
Hang, Sugiura, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches: 
and if the client certificate of the first user is not registered in the revocation list blockchain, sends the hello message to the authentication system (Thakore, [0032], The CA receives OCSP request messages from the ecosystem participants and confirms the revocation status of a corresponding certificate (e.g., stored in the trusted database of the CA), and the OCSP responder of the CA transmits an OCSP response message indicating the revocation status (e.g., “valid,” “revoked,” “unknown,” etc., or an error message if the request message may not be processed). [0041], In an exemplary embodiment of step S150, the query of blockchain 108 determines that ENT-E 114 has not registered, or is not tied to, the certificate (or CA) in blockchain 108).

17. 	Regarding Claim 11, Hang, Sugiura, Georgiadis, Abdulrahiman and Thakora disclose, the authentication system according to claim 8, 
Hang, Sugiura and Georgiadis does not explicitly disclose the following limitations that Abdulrahiman teaches: 
wherein when the first user logs out. the first processing circuitry issues a revocation transaction for the client certificate of the first user (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit), [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner), 
Hang, Sugiura, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches: 
and wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT.), 
Hang, Sugiura, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches: 
and if the client certificate of the first user is not registered in the revocation list blockchain, sends the hello message to the authentication system (Thakore, [0032], The CA receives OCSP request messages from the ecosystem participants and confirms the revocation status of a corresponding certificate (e.g., stored in the trusted database of the CA), and the OCSP responder of the CA transmits an OCSP response message indicating the revocation status (e.g., “valid,” “revoked,” “unknown,” etc., or an error message if the request message may not be processed). [0041], In an exemplary embodiment of step S150, the query of blockchain 108 determines that ENT-E 114 has not registered, or is not tied to, the certificate (or CA) in blockchain 108).

18. 	Claims 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1), Sugiura (JP 2003244134 A) and Ebrahimi (US 2016/0328713 A) in view of Georgiadis (US 2018/0137512 A1).

19. 	Regarding Claim 9, Hang, Sugiura, Ebrahimi and Georgiadis disclose, the authentication system according to claim 2, 
Hang, Sugiura, and Ebrahim does not explicitly disclose the following limitations that Georgiadis teaches:
wherein the first processing circuitry issues a registration transaction for a certificate authority certificate of the first organization, and wherein said another organization system accepts the registration transaction for the certificate authority certificate of the first organization (Georgiadis, [0294], Validating organization 1004 (or verification system 108) checks the evidence received by principal 1002 (or one of user or user device 102) and certifies (i) the accuracy of the provided information and (ii) the fact that the provided information is linked with principal 1002 (or one of user or user device 102). The certification manifests in the form of a blockchain transaction that is initiated from validating organization ), 
Hang, Sugiura, and Ebrahim does not explicitly disclose the following limitations that Georgiadis teaches:
registers the certificate authority certificate of the first organization in a certificate authority certificate blockchain, verifies the client certificate of the first user, when the registration transaction for the client certificate of the first user is accepted, using the certificate authority certificate of the first organization in the certificate authority certificate blockchain, and if the client certificate of the first user is correct, registers the client certificate of the first user in the client certificate blockchain (Georgiadis, [0009], Centralization of information and ownership through certificates creates a single point of vulnerability. Certificate hierarchies are used as proof that an authority has reviewed and verified that the metadata in a given certificate is accurate. The metadata in the certificate is signed with the private key of a certificate authority (CA). The CA's public key comes preinstalled in all popular browsers. There are currently around 1200 formal CAs. The same mechanism applies to client certificates where the owner of the certificate proves her identity to an authentication/authorization system that provides access to a set of services. [0295], Validating organization 1004 (or verification system 108) signs the transactions with its address private key. The correctness of the signature can be verified, as the accompanying blockchain address is public. Once the transaction is included into a block, the transaction's signature is used in the block's header and the block header becomes part of the signature of subsequent blocks.).

20. 	Regarding Claim 10, Hang, Sugiura, Ebrahimi and Georgiadis disclose, the authentication system according to claim 9, 
Hang, Sugiura, and Ebrahim does not explicitly disclose the following limitations that Georgiadis teaches:
wherein the authentication system comprises third processing circuitry to generate a signature using a certificate authority private key of the first organization, and to generate the client certificate of the first user to include the generated signature (Georgiadis, [0294], Validating organization 1004 (or verification system 108) checks the evidence received by principal 1002 (or one of user or user device 102) and certifies (i) the accuracy of the provided information and (ii) the fact that the provided information is linked with principal 1002 (or one of user or user device 102). The certification manifests in the form of a blockchain transaction that is initiated from validating organization), 
Hang, Sugiura, and Ebrahim does not explicitly disclose the following limitations that Georgiadis teaches:
and wherein said another organization system acquires a certificate authority public key of the first organization from the certificate authority certificate of the first organization when the registration transaction for the client certificate of the first user is accepted, verifies the signature using the certificate authority public key of the first organization, and if the signature is correct, decides that the client certificate of the first user is correct (Georgiadis, [0009], Centralization of information and ownership through certificates creates a single point of vulnerability. Certificate hierarchies are used as proof that an authority has reviewed and verified that the metadata in a given certificate is accurate. The metadata in the certificate is signed with the private key of a certificate authority (CA). The CA's public key comes preinstalled in all popular browsers. There are currently around 1200 formal CAs. The same mechanism applies to client certificates where the owner of the certificate proves her identity to an authentication/authorization system that provides access to a set of services. [0295], Validating organization 1004 (or verification system 108) signs the transactions with its address private key. The correctness of the signature can be verified, as the accompanying blockchain address is public. Once the transaction is included into a block, the transaction's signature is used in the block's header and the block header becomes part of the signature of subsequent blocks.).

21. 	Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1), Sugiura (JP 2003244134 A), Ebrahimi (US 2016/0328713 A), Georgiadis (US 2018/0137512 A1) and Abdulrahiman (WO 2018/160863 A1) in view of Thakore (US 2018/0278427 A1)

22. 	Regarding Claim 12, Hang, Sugiura, Ebrahimi, Georgiadis, Abdulrahiman and Thakora disclose, the authentication system according to claim 9, 
Hang, Sugiura, Ebrahimi and Georgiadis does not explicitly disclose the following limitations that Abdulrahiman teaches:
wherein when the first user logs out, the first processing circuitry issues a revocation transaction for the client certificate of the first user (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit), [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner), 
Hang, Sugiura, Ebrahimi, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
and wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT.), 
Hang, Sugiura, Ebrahimi, Georgiadis and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
and if the client certificate of the first user is not registered in the revocation list blockchain, sends the hello message to the authentication system (Thakore, [0032], The CA receives OCSP request messages from the ecosystem participants and confirms the revocation status of a corresponding certificate (e.g., stored in the trusted database of the CA), and the OCSP responder of the CA transmits an OCSP response message indicating the revocation status (e.g., “valid,” “revoked,” “unknown,” etc., or an error message if the request message may not be processed). [0041], In an exemplary embodiment of step S150, the query of blockchain 108 determines that ENT-E 114 has not registered, or is not tied to, the certificate (or CA) in blockchain 108).

23. 	Claims 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Hang (US 2017/0359185 A1), Sugiura (JP 2003244134 A), and Abdulrahiman (WO 2018/160863 A1) in view of Thakore (US 2018/0278427 A1).

24. 	Regarding Claim 13, Hang, Sugiura, Abdulrahiman and Thakore disclose, 
Hang does not explicitly disclose the following limitations that Sugiura teaches:
an authentication system of a first organization that a first user belongs to, the authentication system comprising: 
second processing circuitry to receive a hello message from another organization system when the first user accesses a service of another organization from a user terminal of the first organization (Sugiura, [0022], each unit of the authentication system according to the embodiment of the present invention is divided into a user-side organization 10 and an information-provider organization 20, and includes a client-side device. The authentication server 31 is communicably connected to a certificate authority. [0023], The client-device 11 is a personal computer in which an information access software such as a web browser is installed. The authentication cooperation server 21 relays access from the client side device 11 to the information providing server 22, and when an unauthorized access person accesses the client side device11.), to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to said another organization system as a signature message (Hang, [0095], the encryption subprocess sends a client hello message to the network server, wherein the client hello message includes first encrypted data of the browser client, and the first encrypted data include a plurality of protocol version numbers. Second, the network server feeds a server hello message back to the encryption subprocess, wherein the server hello message includes second encrypted data of the server client, and the second encrypted data include a protocol version number selected from the first encrypted data. It should be noted that the client hello message and the server hello message are employed to determine the secure transmission capability of both parties, [0056], the browser client may also send, to the network server, a client key exchange message (ClientKeyExchange), a client hello done message (ClientHelloDone) and other handshake messages required for key exchange and signature authentication,): 
Hang and Sugiura does not explicitly disclose the following limitations that Abdulrahiman teaches:
and first processing circuitry to issue a revocation transaction for a client certificate of the first user when the first user logs out (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit) [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner),
Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT. ), 
Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
sends, if the client certificate of the first user is not registered in the revocation list blockchain, the hello message to the authentication system (Thakore, [0032], The CA receives OCSP request messages from the ecosystem participants and confirms the revocation status of a corresponding certificate (e.g., stored in the trusted database of the CA), and the OCSP responder of the CA transmits an OCSP response message indicating the revocation status (e.g., “valid,” “revoked,” “unknown,” etc., or an error message if the request message may not be processed). [0041], In an exemplary embodiment of step S150, the query of blockchain 108 determines that ENT-E 114 has not registered, or is not tied to, the certificate (or CA) in blockchain 108), receives the signature message from the authentication system, verifies the signature message using the client certificate of the first user, and if the signature message is correct, decides that the first user is a legitimate user (Hang, [0142], The server verifies the client certificate, and verifies the signature of the client using the signature certificate of the client. The server performs ECDH operation using its own encryption key to obtain the pre_master_seceret, calculates the master_seceret and the data encryption key using the same algorithm as used by the client, verifies correctness of the SeverFinished, [0136], the client is a legitimate holder. In this embodiment, after inserting the USBKey, the user is reminded to enter a protection password, wherein the protection password is carried in the message to verify whether the user is legitimate).

25. 	Regarding Claim 14, Hang, Sugiura, Abdulrahiman and Thakore disclose, 
Hang does not explicitly disclose the following limitations that Sugiura teaches:
a non-transitory computer readable medium storing an authentication program for an authentication system of a first organization that a first user belongs to, the authentication program causing a computer to execute: a transaction issuing process of issuing a registration transaction for a client certificate of the first user before the first user accesses a service of another organization from a user terminal of the first organization (Sugiura, [0022], each unit of the authentication system according to the embodiment of the present invention is divided into a user-side organization 10 and an information-provider organization 20, and includes a client-side device. The authentication server 31 is communicably connected to a certificate authority. [0023], The client-device 11 is a personal computer in which an information access software such as a web browser is installed. The authentication cooperation server 21 relays access from the client side device 11 to the information providing server 22, and when an unauthorized access person accesses the client side device11.); 
Hang does not explicitly disclose the following limitations that Sugiura teaches:
and a proxy certification process of receiving a hello message from another organization system when the first user accesses the service of said another organization from a user terminal of the first organization (Sugiura, [0023], The client-device 11 is a personal computer in which an information access software such as a web browser is installed. The authentication cooperation server 21 relays access from the client side device 11 to the information providing server 22, and when an unauthorized access person accesses the client side device11), encrypting the hello message using a client private key of the first user, and sending the encrypted hello message to said another organization system as a signature message (Hang, [0095], the encryption subprocess sends a client hello message to the network server, wherein the client hello message includes first encrypted data of the browser client, and the first encrypted data include a plurality of protocol version numbers. Second, the network server feeds a server hello message back to the encryption subprocess, wherein the server hello message includes second encrypted data of the server client, and the second encrypted data include a protocol version number selected from the first encrypted data. It should be noted that the client hello message and the server hello message are employed to determine the secure transmission capability of both parties, [0056], the browser client may also send, to the network server, a client key exchange message (ClientKeyExchange), a client hello done message (ClientHelloDone) and other handshake messages required for key exchange and signature authentication,), 
Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
wherein said another organization system accepts the registration transaction for the client certificate of the first user, registers the client certificate of the first user in a client certificate blockchain, sends, when the first user accesses the service of said another organization from the user terminal of the first organization (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT. ), the hello message to the authentication system, receives the signature message from the authentication system, verifies the signature message using the client certificate of the first user in the client certificate blockchain, and if the signature message is correct, decides that the first user is a legitimate user (Hang, [0142], The server verifies the client certificate, and verifies the signature of the client using the signature certificate of the client. The server performs ECDH operation using its own encryption key to obtain the pre_master_seceret, calculates the master_seceret and the data encryption key using the same algorithm as used by the client, verifies correctness of the SeverFinished, [0136], the client is a legitimate holder. In this embodiment, after inserting the USBKey, the user is reminded to enter a protection password, wherein the protection password is carried in the message to verify whether the user is legitimate).
26. 	Regarding Claim 15, Hang, Sugiura, Abdulrahiman and Thakore disclose, 
Hang does not explicitly disclose the following limitations that Sugiura teaches:
a non-transitory computer readable medium storing an authentication program for an authentication system of a first organization that a first user belongs to, the authentication program causing a computer to execute: a proxy certification process of receiving a hello message from another organization system when the first user accesses a service of another organization from a user terminal of the first organization (Sugiura, [0022], each unit of the authentication system according to the embodiment of the present invention is divided into a user-side organization 10 and an information-provider organization 20, and includes a client-side device. The authentication server 31 is communicably connected to a certificate authority. [0023], The client-device 11 is a personal computer in which an information access software such as a web browser is installed. The authentication cooperation server 21 relays access from the client side device 11 to the information providing server 22, and when an unauthorized access person accesses the client side device11.), encrypting the hello message using a client private key of the first user, and sending the encrypted hello message to said another organization system as a signature message (Hang, [0095], the encryption subprocess sends a client hello message to the network server, wherein the client hello message includes first encrypted data of the browser client, and the first encrypted data include a plurality of protocol version numbers. Second, the network server feeds a server hello message back to the encryption subprocess, wherein the server hello message includes second encrypted data of the server client, and the second encrypted data include a protocol version number selected from the first encrypted data. It should be noted that the client hello message and the server hello message are employed to determine the secure transmission capability of both parties, [0056], the browser client may also send, to the network server, a client key exchange message (ClientKeyExchange), a client hello done message (ClientHelloDone) and other handshake messages required for key exchange and signature authentication,): 
Hang and Sugiura does not explicitly disclose the following limitations that Abdulrahiman teaches:
and a transaction issuing process of issuing a revocation transaction for a client certificate of the first user when the first user logs out (Abdulrahiman, [00251], In the illustrated embodiment, the mobile device 130 receives a key revocation request at 1704 via a secure channel created at 1702. At 1706, the mobile device 130 then instructs the secure element (or some other secure circuit) [0213], the operating system is configured to request authentication (or a certain authentication type, such as biometric authentication) for certain types of actions. These actions may include, for example, owner pairing, full key sharing, service key sharing, key revocation (including on the owner device as requested by owner), 

Hang, Sugiura and Abdulrahiman does not explicitly disclose the following limitations that Thakore teaches:
wherein said another organization system accepts the revocation transaction for the client certificate of the first user, registers the client certificate of the first user in a revocation list blockchain, checks, when the first user accesses the service of said another organization from the user terminal of the first organization, whether the client certificate of the first user is registered in the revocation list blockchain (Thakore, [0035], the submitting certificate issuer must be verifiable as owning the referenced DNSSEC domain; and (2) for renewal and revocation transactions, the transaction must also be verifiable as being unspent. In the case of CA certificate renewal, each CA certificate may be reflected as an unspent transaction on the blockchain.  [0045], According to the advantageous techniques of process 200, and as discussed above, individual certificates may be checked for revocation by checking against an OCSP/CRL provided by the CA in the distributed ledger/blockchain, and additionally/alternatively by using CT. ), sends, if the client certificate of the first user is not registered in the revocation list blockchain, the hello message to the authentication system, receives the signature message from the authentication system, verifies the signature message using a client certificate of the first user, and if the signature message is correct, decides, that the first user is a legitimate user (Hang, [0142], The server verifies the client certificate, and verifies the signature of the client using the signature certificate of the client. The server performs ECDH operation using its own encryption key to obtain the pre_master_seceret, calculates the master_seceret and the data encryption key using the same algorithm as used by the client, verifies correctness of the SeverFinished, [0136], the client is a legitimate holder. In this embodiment, after inserting the USBKey, the user is reminded to enter a protection password, wherein the protection password is carried in the message to verify whether the user is legitimate).

Conclusion
27. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. 	
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433