DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Claims 30 and 39 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 26, 27, 29, 31, 33, 34, 36-38, 41, 43-47, and 49 is/are rejected under 35 U.S.C. 103 as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), hereafter “Kuperman,” and further in view of Kang et al. (US 2016/0323257), hereafter “Kang.”
Regarding claim 26, Askar teaches a server device (Askar: 440 of FIG. 4), comprising: 	processing circuitry (Askar: col. 7 lines 14-43); and …the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	a memory device including instructions embodied thereon, wherein the instructions, when executed by the processing circuitry, configure the processing circuitry to perform operations to (Askar: col. 7 lines 14-43): 	access, at the server device, a credential resource for the intermediary device (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]);	grant access to the resource based on a request for the resource from the client device (Askar: 10 of FIG. 4; col. 12 lines 49-64).	Askar does not teach:	verify, at the server device, that the intermediary device is a valid intermediary for the client device using the credential resource; 	access, at the server device, an access control list including a client access control entry for a resource designated accessible to the client device, based on information in the proof of possession token.The server 110 authenticates the hub 500 using the thing pairing information and the authentication information of the hub 500 in operation S220.]). 	It would have been obvious to one of ordinary skill in the art to implement that intermediary validation of Kang within the Askar-Kuperman system with predictable results. One would be motivated to make the combination to provide the predictable benefit of enhancing the security of the system by providing credentials specific to the intermediary device. A high likelihood of success is anticipated as both Askar-Kuperman and Kang disclose a hub as an intermediary device for Internet of Things (IoT) devices. Further, in view of this substantial similarity it would have been readily apparent to one of ordinary skill that various beneficial features of Kang could have been implemented within the Askar-Kuperman system with predictable results and a beneficial effect. 

Regarding claim 27, the server device of claim 26, wherein the proof of possession token is end to end encrypted from the client device to the server device, preventing the intermediary device from accessing data of the proof of possession token (Kuperman: par 0022; Askar: col. 12 lines 60-65). 

Regarding claim 29, the server device of claim 26, wherein the intermediary device is trusted by the server device, and wherein the proof of possession token identifies the server device as an intended audience, wherein in response to identifying the server device as the intended audience, the intermediary device is caused to forward the proof of possession token to the server device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).

Regarding claim 31, the server device of claim 26, wherein the proof of possession token identifies the server device and the client device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).

Regarding claim 33, the server device of claim 26, wherein the client device communicates with the intermediary device using a different network protocol than a network protocol used to communicate between the server device and the intermediary device (Askar: col. 12 lines 49-65). 

Regarding claim 34, the server device of claim 26, wherein to access the access control list, the processing circuitry is to search the access control list for the client device (Kuperman: par 0050). 

Regarding claim 36, a method, comprising a plurality of operations executed with a processor and memory of a server device (Askar: 440 of FIG. 4), the operations comprising:	receiving, at communication circuitry a proof of possession token forwarded from a client device by an intermediary device, the proof of possession token generated by …the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	accessing, using the processor of the server device, a credential resource for the intermediary device (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	verifying, using the processor of the server device, that the intermediary device is a valid intermediary for the client device using the credential resource  (Kang: par 0092 [The server 110 authenticates the hub 500 using the thing pairing information and the authentication information of the hub 500 in operation S220.]); 	accessing an access control list, the access control list including a client access control entry for a resource designated accessible to the client device, based on information in the proof of possession token (Kuperman: 218 of FIG. 3; par 0045); and 	granting, to the client device, access to the resource based on a request for the resource from the client device (Askar: 10 of FIG. 4; col. 12 lines 49-64).

Regarding claim 37, the method of claim 36, wherein the proof of possession token is end to end encrypted from the client device to the server device, preventing the intermediary device from accessing data of the proof of possession token (Kuperman: par 0022; Askar: col. 12 lines 60-65).

…the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).

Regarding claim 41, the method of claim 36, further comprising: 	performing an operation to receive a message from the client device via the intermediary device with the proof of possession token, the message identifying the resource (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]; col. 12 lines 60-65); and 	determining that the access control list identifies the resource as being available to the client device in response to processing the message (Kuperman: 218 of FIG. 3; par 0045). 

Regarding claim 43, a non-transitory device-readable storage medium (Askar: col. 7 lines 14-43) including instructions, wherein the instructions, when executed by a processing circuitry of a server device (Askar: 440 of FIG. 4), cause the processing circuitry to: 	receive, at communication circuitry a proof of possession token forwarded from a …the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	access, at the server device, a credential resource for the intermediary device (Askar: col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	verify, at the server device, that the intermediary device is a valid intermediary for the client device using the credential resource (Kang: par 0092 [The server 110 authenticates the hub 500 using the thing pairing information and the authentication information of the hub 500 in operation S220.]); 	access an access control list, the access control list including a client access control entry for a resource designated accessible to the client device, based on information in the proof of possession token (Kuperman: 218 of FIG. 3; par 0045); and 	grant, to the client device, access to the resource based on a request for the resource from the client device (Askar: 10 of FIG. 4; col. 12 lines 49-64).

Regarding claim 44, the device-readable storage medium of claim 43, wherein the proof of possession token is end to end encrypted from the client device to the server device, preventing the intermediary device from accessing data of the proof of possession token (Kuperman: par 0022; Askar: col. 12 lines 60-65). 

Regarding claim 45, the device-readable storage medium of claim 43, wherein the intermediary device is trusted by the server device, and wherein the proof of possession token identifies the server device as an intended audience, wherein in response to identifying the server device as the intended audience, forwarding, from the intermediary device, the proof of possession token to the server device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]).

Regarding claim 46, a system, comprising:	a server device (Askar: 440 of FIG. 4) including: 	processing circuitry (Askar: col. 7 lines 14-43); and 	communication circuitry to receive a proof of possession token forwarded from a client device by an intermediary device, the proof of possession token generated by an authentication service on behalf of the client device (Askar: 5, 7 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	a memory device including instructions embodied thereon, wherein the instructions, when executed by the processing circuitry, configure the processing circuitry to perform operations to (Askar: col. 7 lines 14-43): 	access, at the server device, a credential resource for the intermediary device The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]); 	verify, at the server device, the intermediary device is a valid intermediary for the client device using the credential resource (Kang: par 0092 [The server 110 authenticates the hub 500 using the thing pairing information and the authentication information of the hub 500 in operation S220.]); 	access an access control list, the access control list including a client access control entry for a resource designated accessible to the client device, based on information in the proof of possession token (Kuperman: 218 of FIG. 3; par 0045); and 	grant, to the client device access to the resource based on a request for the resource from the client device (Askar: 10 of FIG. 4; col. 12 lines 49-64).

Regarding claim 47, the system of claim 46, wherein the system further comprises the intermediary device to: 	receive the proof of possession token from the client device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 	identify the server device as an intended audience from information in the proof of possession token (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); 

Regarding claim 49, the system of claim 46, wherein the system further comprises the client device to: 	generate the proof of possession token and a message requesting the resource (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]);	send the proof of possession token and the message to the intermediary device (Askar: 7, 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]); and	receive, from the server device via the intermediary device, the information from the resource (Askar: 10 of FIG. 4; col. 12 lines 49-64).

Claim 28 is rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), in view of Kang et al. (US 2016/0323257), and further in view of Choyi et al. (US 2017/0012778), hereafter “Choyi.”


Claim 32 is rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), in view of Kang et al. (US 2016/0323257), and further in view of Hayton (US 2015/0350168).
Regarding claim 32, Askar-Kuperman-Kang does not teach the server device of claim 31, wherein the proof of possession token is one of an OAuth2, OpenID-Connect, SAML, XACML, Kerberos, or Fluffy token.	Hayton teaches a technique of wherein a proof of possession token is one of an OAuth2, OpenID-Connect, SAML, XACML, Kerberos, or Fluffy token (Hayton: par 0099).	It would have been obvious to one of ordinary skill in the art to implement the token of Askar-Kuperman-Kang as an SAML token according to the technique of Hayton with predictable results. One would be motivated to make the combination because it would have been apparent to one of ordinary skill that any of a variety of formats and protocols could have been utilized to implement the token validation functionality of Askar-Kuperman-Kang. Accordingly, implementing the SAML token of Hayton would have amounted to simple substitution of one known element for another with predictable results. One would further be motivated to make the combination in view of the substantial similarity of the references. Both Hayton and Askar-Kuperman-

Claims 35, 42, and 48 are rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), in view of Kang et al. (US 2016/0323257), and further in view of Moloney et al. (US 2019/0156141), hereafter “Moloney.”
Regarding claim 35, Askar-Kuperman-Kang teaches the server device of claim 26, wherein the communication circuitry is to use Representational State Transfer (RESTful) interactions among one or more Internet of Things (IoT) network topologies to perform network communication operations (Askar: col. 12 lines 19-30). 	Askar-Kuperman-Kang does not explicitly teach: 	wherein the network communication operations are conducted according to one or more Open Connectivity Foundation (OCF) specifications.	Moloney teaches a technique of: 	wherein network communication operations are conducted according to one or more Open Connectivity Foundation (OCF) specifications (Moloney: par 0070).	It would have been obvious to one of ordinary skill in the art to utilize the OCF 

Regarding claim 42, the method of claim 36, wherein the communication circuitry is to use Representational State Transfer (RESTful) interactions among one or more Internet of Things (IoT) network topologies to perform network communication operations, and wherein the network communication operations are conducted according to one or more Open Connectivity Foundation (OCF) specifications (Askar: col. 12 lines 19-30; Moloney: par 0070). 

Regarding claim 48, the system of claim 47, wherein the intermediary device is a cloud device or proxy device registered to interact with the server device using 

Claims 40 and 50 are rejected as being unpatentable over Askar (US 10,979,299), in view of Kuperman et al. (US 2018/0278584), in view of Kang et al. (US 2016/0323257), and further in view of Jones et al. (NPL - RFC 7800 “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”), hereafter “Jones.”
Regarding claim 40, Askar-Kuperman-Kang does not teach the method of claim 36, wherein verifying the proof of possession token includes verifying that the proof of possession token was signed by the client device using an authentication key. 	Jones teaches:	wherein verifying the proof of possession token includes verifying that the proof of possession token was signed by the client device using an authentication key (Jones: p. 4 [The presenter, for example, (4) uses the private key in a Transport Layer Security (TLS) exchange with the recipient or (4) signs a nonce with the private key. The recipient is able to verify that it is interacting with the genuine presenter by extracting the public key from the confirmation claim of the JWT (after verifying the digital signature of the JWT)]; p. 10 § 3.6). 	It would have been obvious to one of ordinary skill in the art to utilize the token 

Regarding claim 50, the system of claim 49, wherein the client device is further to access a web authorization provider to sign the proof of possession token, the proof of possession token signed by the client device using a key received from a credential management service (Jones: p. 4 [The presenter, for example, (4) uses the private key in a Transport Layer Security (TLS) exchange with the recipient or (4) signs a nonce with the private key. The recipient is able to verify that it is interacting with the genuine presenter by extracting the public key from the confirmation claim of the JWT (after verifying the digital signature of the JWT)]; p. 10 § 3.6).

Response to Arguments
Applicant’s arguments, filed 13 December 2021, have been fully considered and are discussed in detail below. 



With respect to the rejection of claim 26 under 35 USC § 103, Applicant argues that Askar deficient to teach the limitations against which it is cited. Specifically, Applicant argues that the hub device of Askar is not an intermediary (Remarks: p. 9). Examiner respectfully disagrees; the hub (430) of Askar passes communication between the client device (420) and the server (440) and performs registration on behalf of the client device to facilitate communication with the server (Askar: 10 of FIG.4; col. 10 lines 34-57 [The service registration configuration may include security credentials for the hub device 430 to use when registering the IoT devices 420 with the IoT service 440…]). Accordingly, Examiner maintains that the hub of Askar fairly meets the claimed intermediary device according to the broadest reasonable interpretation of the phrase.

Applicant further argues that the hub does not “forward a proof of possession token from a client device to a server device” as claimed (Remarks: p. 9). Examiner respectfully disagrees - the hub device forwards the token to the server because all communications subsequent to registration may include the token and those communications pass through the hub i.e. the hub forwards them (Askar: 10 of FIG. 4; col. 11 lines 52-59 […the hub device 430 may provide a security token to the IoT device 420…The IoT device 420 may provide the security token along with subsequent communications…]; col. 12 lines 49-64 […the IoT device may communicate the IoT device data to the IoT service 440 via the hub device 430.]). 

The remaining arguments depend on or relate to the arguments addressed above or are moot in view of the new grounds of rejection, the new grounds of rejection having been made necessary by the claim amendments. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES E SPRINGER whose telephone number is (571)270-5640. The examiner can normally be reached 9am - 5:30pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JAMES E. SPRINGER
Primary Examiner
Art Unit 2454



/JAMES E SPRINGER/           Primary Examiner, Art Unit 2454