DETAILED ACTION
Notice of Pre-AIA  or AIA  Status 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

The application of Learmonth for a “physical access control system” filed October 7, 2019 has been examined.  
 
This application claims priority to U.S. provisional application number 62/743,222, which is filed on October 9, 2018.
  
Claims 1-20 are pending.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4, 7 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693).

Referring to Claim 1, Morrison et al. disclose an access control system (column 1 lines 51 to column 2 line 67; see Figures 1 to 4), comprising: 
a trusted tag server (120) (i.e. a cloud-hosted access control system (item 120 in FIG. 1A and FIG. 1B) is configured to perform access control determinations in respect of a given door for which installation has been completed. The precise manner in which this occurs is dependent on nuances of a given access control system, however for the present purposes it will be assumed that each door is configured to be associated with a one or more acceptable permissions) (column 6 lines 55 to column 7 line 4; column 8 lines 21 to 45; see Figures 1A and 1B), comprising: 
a processor (122) (i.e. configuration enables an access control determination which compares permissions associated with a user (or user token) with acceptable permissions ;
a communication interface(121) coupled with the processor (122) and facilitating machine-to- machine communications (i.e. an access request input module 121 is configured for receiving access requests from devices, for example from device 110) (column 8 lines 23 to 29; see Figure 1B); and 
computer memory (not shown) coupled with the processor, wherein the computer memory comprises instructions that, when executed by the processor (i.e. the access control system additionally stores, for a plurality of users, respective permissions for those users (which may be explicit, or inferred from user attributes) (column 6 lines 55 to column 7 line 4; see Figures 1A and 1B), enable the processor to:
receive tag information and door information from a mobile device (110) as a result of the mobile device (110) participating in a proximity-based communication with a tag (100) (i.e. functional block 201 represents a process whereby a mobile device 110 reads an identifier from an NFC tag 100, this triggering the launching of an access control app at 202. In other embodiments these steps are reversed (i.e. the app is launched manually prior to reading of the tag). In some embodiments a NFC reader component in the mobile device is configured to recognize a predetermined portion/aspect of the NFC identifier and treat that as the trigger to launch the access control app) (column 8 lines 50 to 58; see Figure 2);
analyze the tag information received from the mobile device (100) (i.e. functional block 205 represents a process whereby the access request is transmitted to an access control server. Preferably data contained therein is encoded and/or encrypted.  Functional block 211 of 210 represents a process whereby an access request is received from a mobile device. This access request is processed at 212 based on a set of authorization rules) (column 9 lines 10 to 30; see Figure 2); 
determine, based on the analysis of the tag information, that the mobile device participated in a unique interaction with the tag (i.e. this access request is processed at 212 based on a set of authorization rules. This includes: 
(i) Determining the device and/or user responsible for submitting the request. 
(ii) Determining the controlled functionality in respect of which the request is made. 
(iii) Determining whether the device and/or user is authorized to access the controlled functionality in respect of which the request is made) (column 9 lines 10 to 41; see Figure 2).
However, Morrison et al. did not explicitly disclose in response to determining that the mobile device participated in the unique interaction with the tag, transmit the door information to an access control server, wherein the door information transmitted to the access control server enables the access control server to make an access control decision for a protected asset with respect to the mobile device.
In the same field of endeavor of an access control communication system, Stroud teaches that in response to determining that the mobile device 30 participated in the unique interaction with the tag 20, transmit the door information to an access control server 40C, wherein the door information transmitted to the access control server 40C enables the access control server 40C to make an access control decision for a protected asset with respect to the mobile device 30 (i.e. the local identifier and an identifier of the smartphone 30 are transmitted via a long range communication 32 to a remote device 40a that is within the long range. However remote device 40a is not the controlling device/server of the system, which 40C. In this arrangement, the remote device 40a that communicates with the smartphone 30 transmits onwards the long range communication 42a to a network 43 (which may, for example be a local area network, or a wide area network or the Internet, etc.). The network transmits the communication 43a onwards to another device 40b of the system which is in long range communication 42b with the controller 40C of the system. The controller 40C on receiving the long range communication 42b recognizes the token 20 and the smartphone 30 and operates the door 52 via connection 44 to enable the user to enter the building through door 52) (column 18 lines 35 to 59; see Figures 1 to 3).
At the time of the effective filing date of the current application, it would have been obvious to a person of ordinary skill in the art to recognize the need for using remote device to transmit local identifier and the identifier of the smartphone to the access point/controller 40C to determine the token and the smartphone to operate the door taught by Stroud in the access control entry system using the mobile device with short-range wireless communication that read the BLE tag for authentication of Morrison et al. because using remote device to transmit local identifier and the identifier of the smartphone to the access point/controller 40C to determine the token and the smartphone to operate the door would improve the security of the access control system.

Referring to Claim 2, Morrison et al. in view of Stroud disclose the access control system of claim 1, Morrison et al. disclose further comprising: a door lock (130b) that is actuated in response to commands received from the access control server (120), wherein the door lock (130b) controls access to the protected asset by locking or unlocking a door (i.e. the door is equipped with an electronically actuated lock. This may be by way of a physical lock (such as a 13 (as shown in FIGS. 1A and 1C), or by way of a physical lock that is coupled to an electronic door lock actuator 130b, which is in turn coupled to a networked controller 130a (as shown in FIGS. 1B, 1D and 1E) to achieve a similar overall result. In both cases, the door may be unlocked by transmitting a control signal to a specified network address. In some cases this signal may require certain embedded properties for security purposes) (column 5 lines 10 to 22; column 8 lines 21 to 45; see Figures 1A and 1C).

Referring to Claim 3, Morrison et al. in view of Stroud disclose the access control system of claim 1, Morrison et al. disclose wherein the tag (100) is positioned on or near the door and wherein the door information comprises a unique identifier assigned to the door (i.e. a near-field-communications (NFC) tag 100 is installed proximal the door, thereby to allow NFC-based identification of the door. For example, the tag may be affixed to a surface or structure defined by or proximal the relevant door (for instance in one embodiment tag 100 is embedded in an adjacent wall area, the location being optionally marked for purposes of identification.  A BLE tag identifier for an BLE tag that is installed proximal the door) (column 5 lines 32 to 39; column 6 lines 18 to 36; column 8 lines 59 to 67; see Figures 1a to 2).

Referring to Claim 4, Morrison et al. in view of Stroud disclose the access control system of claim 1, Stroud discloses wherein the instructions further enable the processor to: transmit a mobile device identifier to the access control server for comparison against a set of permitted or non-permitted mobile devices associated with the door information (i.e. the mobile device 30 to be used in conjunction with tokens 20, such as the smartphone 30, must be 30 as follows. At the server 40 or any appropriately connected computer or the like, a user record is identified in the software. To register the smartphone 30 a credential is added, the credential being selected as ‘NFC’ type. An identifying address of the user of the smartphone 30 is entered, such as an e-mail address or a/the mobile phone 30 number and then the software sends a unique identifier and a link to the appropriate app to the user (via SMS or e-mail, e.g.). The user can then download the appropriate app to the smartphone 30 and enter the unique identifier into the app when it is first run on the smartphone 30. The app confirms whether the unique identifier has been previously registered with the system and if not, the smartphone 30 is enabled for use with the system.  The local identifier and an identifier of the smartphone 30 are transmitted via a long range communication 32 to a remote device 40a that is within the long range) (column 16 line 59 to column 17 line 9; column 18 lines 35 to 59; see Figure 3).

Referring to Claim 7, Morrison et al. in view of Stroud disclose the access control system of claim 2, Morrison et al. disclose wherein the access control server transmits an open command directly to the door lock that causes the door lock to release the door from a secure state (i.e. the signal sent from the server at 214 is received, in this example, by a networked actuator at 221, and in response to the signal the actuator performs its function. For example, in the case of a networked lock actuator, the function is to perform an “unlock” (typically a temporary “unlock”) functionality. However, it will be appreciated that the nature of functionalities may vary between embodiments) (column 9 lines 61 to 67; see Figure 2).

9, Morrison et al. in view of Stroud disclose an access control method, although different in scope from the claim 1, the claim 9 contains similar limitations in that the claim 1 already addressed above therefore claim 9 is also rejected for the same obvious reasons given with respect to claim 1.
   
Claims 5-6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693) as applied to claims 1 and 9, and further in view of Robinton et al. (Pub. No. 2017/0017947).

Referring to Claim 5, Morrison et al. in view of Stroud disclose the access control system of claim 1, however, Morrison et al. in view of Stroud did not explicitly disclose wherein the tag information comprises a tag authentication cryptogram (TAC) and a tag unique identifier (TAGID) that are appended to a resource locator.
In the same field of endeavor of an access control communication system, Robinton et al. teach that wherein the tag information comprises a tag authentication cryptogram (TAC) (144) and a tag unique identifier (TAGID) (132) that are appended to a resource locator (i.e. components of the smart tag 108 are depicted as including a TAGID 132, an NFC applet 136, a Tag Authentication Cryptogram (TAC) module 144, and a cryptographic engine 148, some or all of which may be stored in a secure area of the smart tag's 108 memory (page 5 paragraph 0053; see Figures 1 to 6).  The tag data 140 may direct the communication application 124 of the mobile device 104 to communicate with the tag platform (or content server) 112. In particular, the response provided from the smart tag 108 to the mobile device 104 may correspond to a URL or the like. Upon receiving the response, the mobile 104 may utilize the communication application 124 to request content (e.g., one or more web pages 152) from the tag platform 112. Even more specifically, the URL received from the smart tag 108 may correspond to an address of the web page(s) 152 (page 6 paragraph 0061) in order to verify the authentication of the tag.
At the time of the effective filing date of the current application, it would have been obvious to a person of ordinary skill in the art to recognize the need for having the tag with TAGID and Tag Authentication Cryptogram (TAC) stored in the tag’s memory taught by Robinton et al. in the access control entry system using the mobile device with short-range wireless communication that read the BLE tag for authentication of Morrison et al. in view of Stroud because having the tag with TAGID and Tag Authentication Cryptogram (TAC) stored in the tag’s memory would provide an alternative way for using the data payload of the RFID tag for the access control system.

Referring to Claim 6, Morrison et al. in view of Stroud and Robinton et al. disclose the access control system of claim 5, Robinton et al. disclose wherein the resource locator comprises a web address that resolves to the trusted tag server and wherein the instructions further enable the processor to: compare the TAC with previously-received TACs to ensure that the TAC received from the mobile device is unique and not matching any previously-received TACs (i.e. a new TAC may be automatically generated by the smart tag 108 in response to detecting a mobile device 104 within its communication range, regardless of whether or not the mobile device 104 requests information from the smart tag 108. This means that a certain number of TACs generated by the smart tag 108 may never be transmitted to a mobile device 104; instead, the smart tag 108 will increment or move on to the next TAC when 104) mobile device 104 comes into read range of the smart tag 108 (or the same mobile device 104 exits and re-enters the read range)) (page 6 paragraph 0058).

 Referring to Claim 14, Morrison et al. in view of Stroud disclose the method of claim 9, although different in scope from the claim 5, the claim 14 contains similar limitations in that the claim 5 already addressed above therefore claim 14 also rejected for the same obvious reasons given with respect to claim 5.

Claims 8 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693) as applied to claims 1 and 9, and further in view of Johansson et al. (US# 10,521,984).

Referring to Claim 8, Morrison et al. in view of Stroud disclose the access control system of claim 1, however, Morrison et al. in view of Stroud did not explicitly disclose  wherein the door information transmitted to the access control system is accompanied by a timestamp, wherein the timestamp is generated by a processor of the mobile device or a processor of the tag to indicate a time of the interaction between the tag and mobile device.
In the same field of endeavor of an access control communication system, Johansson et al. teach that wherein the door information transmitted to the access control system is accompanied by a timestamp, wherein the timestamp is generated by a processor of the mobile device or a processor of the tag to indicate a time of the interaction between the tag and mobile device (i.e. for a sequence value based at least in part on a timestamp, the sequence 1106, the security server retrieves a reader ID associated with the card reader, and appends the reader ID to the challenge message. Next, the security server generates 1108 a challenge ID and appends the challenge ID to the challenge message. The challenge ID can be a random number, a sequential number, a timestamp, a cryptographic key, a GUID, or other value that provides uniqueness to the challenge message) (column 15 lines 39 to column 16 line 7; see Figures 10 and 11) in order to improve security communication between the security server, the card reader and the access card.
At the time of the effective filing date of the current application, it would have been obvious to a person of ordinary skill in the art to recognize the need for having a sequence value based at least in part on timestamp and having the security server retrieves the reader ID associated with the card reader and appends the reader ID to the challenge message having the sequence value based on timestamp taught by Johansson et al. in the access control entry system using the mobile device with short-range wireless communication that read the BLE tag for authentication of Morrison et al. in view of Stroud because having the security server retrieves the reader ID associated with the card reader and appends the reader ID to the challenge message would improve security communication between the security server, the card reader and the access card in the access control system.

 Referring to Claims 10-11, Morrison et al. in view of Stroud disclose the access control method of claim 9, although different in scope from the claim 8, the claims 10-11 contain similar .

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693) as applied to claim 9, and further in view of Hoyer et al. (US# 10,826,707).

Referring to Claim 12, Morrison et al. in view of Stroud disclose the method of claim 9, Stroud discloses that wherein the tag information and door information received from the mobile device (30) is encrypted (i.e. the app on the smartphone 30 takes the identifier of the token 20 and transmits it, along with a smartphone identifier (which may be a user ID, the credential created when the smartphone 30 is first registered, its phone number, an e-mail address, etc.) to the access point 40 via a long range communication 32, which in this embodiment is a Bluetooth LE communication. The transmission can be encrypted by the app prior to transmission for increased security. As the smartphone 30 is registered with the system, the access point 40 recognizes the smartphone 30 and also the token 20 and its associated appliance/system, from the transmitted local identifier. The access point 40 can therefore immediately operate or control the appliance/system associated with the token 20 from the single long range communication 32) (column 17 lines 17 to 31).
However, Morrison et al. in view of Stroud did not explicitly disclose the method further comprising: decrypting one or more data packets received from the mobile device (30) using a decryption key; extracting the tag information and the door information from the decrypted one or more data packets; and comparing the tag information against previously-
In the same field of endeavor of an access control communication system, Hoyer et al. teach that decrypting one or more data packets received from the mobile device using a decryption key; extracting the tag information and the door information from the decrypted one or more data packets; and comparing the tag information against previously-received tag information to ensure that the interaction between the tag and the mobile device corresponds to the unique interaction (i.e. the authorized entity 116 may extract the privacy key index from the response (step 608). Thereafter, the authorized entity 116 may utilize the privacy key index to identify a privacy encryption key that can be used for decrypting the encrypted tag identifier contained in the privacy identifier (step 612). The authorized entity 116 may then decrypt the encrypted tag identifier with the symmetric privacy encryption key identifier in step 612 (step 616). Thereafter, the authorized entity 116 may be able to identify the tag or a holder of the tag using the decrypted unique tag identifier (step 620). In some embodiments, the authorized entity 116 may also use the identification information for the tag 108 to track a location of the tag 108) (column 14 lines 8 to 27; see Figures 6 and 7) in order to improve security for communicating with the tag.
At the time of the effective filing date of the current application, it would have been obvious to a person of ordinary skill in the art to recognize the need for using privacy encryption key that can be used for decrypting the encrypted tag identifier for the authorized entity to identify the tag taught by Hoyer et al. in the access control entry system using the mobile device with short-range wireless communication that read the BLE tag for authentication of Morrison et al. in view of Stroud because using privacy encryption key that can be used for decrypting the .

Claims 13, 15-16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693) as applied to claims 9 and 15, and further in view of Capaldi-Tallon (US# 9,990,787).

Referring to Claim 13, Morrison et al. in view of Stroud disclose the method of claim 9, however, Morrison et al. in view of Stroud did not explicitly wherein the tag information and door information are appended to a web address that resolves to a web server.
In the same field of endeavor of an access control communication system, Capaldi-Tallon teaches that wherein the tag information and door information are appended to a web address that resolves to a web server (column 3 lines 1 to 7; column 4 lines 37 to 39; see Figure 1) in order to assist user to control the door. 
At the time of the effective filing date of the current application, it would have been obvious to a person of ordinary skill in the art to recognize the need for using mobile phone to access to the website using the predetermined unique resource link (URL) encoded in the bar code on the door taught by Capaldi-Tallon in the access control entry system using the mobile device with short-range wireless communication that read the BLE tag for authentication of Morrison et al. in view of Stroud because using mobile phone to access to the 


Referring to Claim 15, Morrison et al. in view of Stroud disclose a server, the claim 15 differ from claim 1 is that the claims require the limitations of claim 13 already addressed above and Capaldi-Tallon discloses all limitations to the extent as claimed with respect to claim 13 above and therefore claim 15 is also rejected as being obvious for the same obvious reasons given with respect to claim 13.

Referring to Claim 16, Morrison et al. in view of Stroud and Capaldi-Tallon disclose the server of claim 15, Capaldi-Tallon disclose wherein the device authentication instruction set is configured to perform a mutual authentication with the mobile device using a web-based communication protocol (column 4 lines 4 to 17; see Figure 4).

Referring to Claim 18, Morrison et al. in view of Stroud and Capaldi-Tallon the server of claim 15, Morrison et al. disclose wherein access to the physical asset is based on the mobile device (110) interaction with the tag (150) (column 7 lines 61 to 66; column 8 lines 50 to 67; see Figures 1 to 2).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693) in view of Capaldi-.

 Referring to Claim 17, Morrison et al. in view of Stroud and Capaldi-Tallon the method of claim 15, although different in scope from the claim 5, the claim 17 contains similar limitations in that the claim 5 already addressed above therefore claim 17 also rejected for the same obvious reasons given with respect to claim 5.
 
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693) in view of Capaldi-Tallon (US# 9,990,787) as applied to claim 18 and further in view of Johansson et al. (US# 10,521,984).

 Referring to Claim 19, Morrison et al. in view of Stroud and Capaldi-Tallon the method of claim 18, although different in scope from the claim 8, the claim 19 contains similar limitations in that the claim 8 already addressed above therefore claim 19 also rejected for the same obvious reasons given with respect to claim 8.
 
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Morrison et al. (US# 10,395,452) in view of Stroud (US# 9,591,693) in view of Capaldi-Tallon (US# 9,990,787) as applied to claim 15 and further in view of Hoyer et al. (US# 10,826,707).

Referring to Claim 20, Morrison et al. in view of Stroud and Capaldi-Tallon the method of claim 18, although different in scope from the claim 12, the claim 20 contains similar limitations in that the claim 12 already addressed above therefore claim 20 also rejected for the same obvious reasons given with respect to claim 12.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to the enclosed PTO-892 for details.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NAM V NGUYEN whose telephone number is 571-272-3061. Fax number is (571) 273-3061.  The examiner can normally be reached on 8:00AM-5:00PM Monday to Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Quan-Zhen Wang can be reached on 571-272-3114.  The fax phone numbers for the organization where this application or proceeding is assigned are 571-273-8300 for regular communications.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 




 /NAM V NGUYEN/
Primary Examiner, Art Unit 2684