Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to RCE filed on 3/2/2022. Claims 1, 12 and 16 are independents. Claims 1, 9, 12 and 16 are amended. Claims 1-20 are currently pending.

Response To Arguments
Applicant’s arguments with respect to the rejection of claims under 35 U.S.C 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground of rejection is made in view of Wilson, Kamal and Tussy. 

Claim Rejections-35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims, the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 2, 4 and 6-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wilson et al. (WO 2009036511 A1), hereinafter Wilson, in view of Kamal et al. (US 20190261169 A1), hereinafter Kamal.

Regarding claims 1, 12 and 16, Wilson teaches a method, comprising:
in response to a user attempt to access a given resource: 
identifying at least one policy defined for access to the given resource, wherein the at least one policy comprises at least one rule and at least one allowed issuer of a verifiable claim, wherein the verifiable claim is issued, prior to the user attempt to access the given resource, by the at least one allowed issuer and comprises a cryptographically signed attestation with respect to at least one characteristic of the user (Wilson p.1 ln9-14, p.2 ln20-28, access to online resources [user attempt to access a given resource]; controlling the access to online resources intended only for adults (generally speaking, persons who have attained the age of majority). Such resources include online gambling, dating and introduction services, "adult" or pornographic content, and other classified content (films, television programs, literature and so on). In Australia for example, new regulations introduced in 2007 require age verification for content delivered over the Internet or to multimedia wireless devices such as mobile telephones when that content has been given a conventional film & television classification of "MA15+" (intended only for a "Mature Audience" over the age of 15) or "Rl 8+" (Restricted to persons over the age of 18) [age requirement/poicy]; p.3 ln14-27, One approach to the age verification problem is to have a trusted third party vouch for the age of a first party (the user) at the time when the user is accessing services of a second party (the online service provider). Some approaches to such age verification involve a new type of trusted third party that provides age verification services possibly on a commercial basis, typically by accessing authoritative repositories of age information. When a service provider wishes to confirm the age of a given user, they inquire with the third party as to the person's age. This approach requires the user to provide personal details when registering with the trusted third party, which represents an effort and possible additional expense not normally associated with the use of such resources as online social networking sites. This type of approach also complicates the processes by which the service provider deals with its users, and can involve the disclosure of personal details of the user to the service provider. Moreover, this approach requires a timely response from the third party as user participation is prevented until verification is provided by the third party; p.4 ln11-p.5 ln15 Trusted Third Party [allowed issuer] with signed Public Key Certificate including data that indicates that the user is a member of a defined demographic group [signed attestation]); 
determining, by a verifier entity, if the at least one rule and the at least one allowed issuer are satisfied based on an evaluation of the verifiable claim, wherein the verifier entity is distinct from the at least one allowed issuer (p.12 ln4-25, Subsequently, child 101 uses computer 130 to access via the Internet 199 online resources 220 provided by service provider 200 and intended only for children. The child 101 connects the cryptographic USB key 150 to a personal computer 130 as part of the access control procedure. An access control module 210 associated with the online resources 220 operates so as to distinguish legitimate users such as child 101 from illegitimate users such as adults. The access control module 210 effects verification by examining the Public Key Certificate 120, checking that the digital signature 124 corresponds to the Department of Education 110, and checking that the data item 122 does indicate that the holder of the Public Key Certificate 120 (namely the child 101) is of school age. If said checks are satisfied then the access control module 210 grants child 101 access to the online resources 220; the Certification Authority 114 is itself certified by a Root Certification Authority 314 which issues CA Public Key Certificate 320 containing a data item 326 that attests that the Certification Authority 114 is recognized as being authoritative over the particular demographic characteristic in question, in this case the fact that the child 101 is of school age. The CA Public Key Certificate 320 also includes a digital signature 324 of the Root Certification Authority 314. This arrangement thus effects an international or otherwise cross-jurisdictional mechanism for endorsing Certification Authority 114 so that the legitimacy of their verification of age of student 101 may be automatically verified by the service provider 200 even where the Certification Authority 114 is unknown to the service provider 200).
Wilson does not explicitly disclose automatically allowing the user to access the given resource in response to the at least one rule and the at least one allowed issuer being satisfied; and wherein the method is performed by at least one processing device comprising a processor coupled to a memory. However, in an analogous art, Kamal teaches automatically allowing the user to access the given resource in response to the at least one rule and the at least one allowed issuer being satisfied (Kamal FIG. 4 and para. 0023, If the fraud score satisfies a threshold (e.g., the fraud score is high, etc.), the IAMH 102 may be configured to decide to provide frictionless, risk-based authentication of the user without promoting the user for any explicit authentication. FIG. 4 and para. 0053, IDP 110 verifies the incoming claims, at 414 (e.g., including one or more aspects of the digital identity of the user, etc.)); and wherein the method is performed by at least one processing device comprising a processor coupled to a memory (Kamal para. 0036, computing device 200 includes a processor 202 and a memory 204 coupled to (and in communication with) the processor 202).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it improves the efficiencies and/or performance of the processor 202 and/or other computer system components configured to perform one or more of the various operations herein (Kamal, para. 0037).


Regarding claim 2, the combination of Wilson and Kamal teaches all of the limitations of claim 1, as described above. Kamal further teaches preventing the user from accessing the given resource if one or more of the at least one rule and the at least one allowed issuer are not satisfied (FIG. 1 and para. 0052, if the user's requested action is in violation of the determined policy, the IAMH 102 may simply provide a decline to the user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it eliminate security concerns by identifying not satisfied issuer.

Regarding claims 4, 13 and 17, the combination of Wilson and Kamal teaches all of the limitations of claims 1, 12 and 16, respectively, as described above. Kamal further teaches wherein the at least one rule specifies a threshold for at least one data item obtained from the at least one allowed issuer (para. 0023, the IAMH 102 is configured to use a fraud score to decide how to handle consumer authentication related to such requests. If the fraud score satisfies a threshold (e.g., the fraud score is high, etc.), the IAMH 102 may be configured to decide to provide frictionless, risk-based authentication of the user without promoting the user for any explicit authentication).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it provides flexibility on access control by considering threshold.

Regarding claim 6, the combination of Wilson and Kamal teaches all of the limitations of claim 1, as described above. Kamal further teaches wherein the given resource comprises one or more of a device, a software application and an account (FIG. 1 and para. 0052, the user accesses and attempts to login to a website, at 402 (e.g., via the mobile application 318 or otherwise, etc.)).
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it provides access control to different service configuration.

Regarding claim 7, the combination of Wilson and Kamal teaches all of the limitations of claim 1, as described above. Kamal further teaches wherein the at least one policy is stored by at least one policy hub (FIG. 1 and para. 0026, a policy manager 118 for enforcing the policies associated with the IAMH 102, whereby the policy manager 118 may be configured to define role based access control for tenants, to define user profiles and access privileges, and/or to define rules for access tokens for digital service).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it improves enhancement to policy enforcement.

 Regarding claim 8, the combination of Wilson and Kamal teaches all of the limitations of claim 7, as described above. Kamal further teaches wherein a plurality of the at least one policy hub is organized in a hierarchical structure, such that a given one of a plurality of the at least one policy is applied to the given resource in a predictable manner (FIG. 1 and para. 0020 and 0028, the primary IAMH 102 is configured to instantiate and/or create secondary hubs (or subsidiary/sub-hubs) that are dedicated to specific ones of the regions and located in those regions. In particular, the illustrated system 100 includes two secondary hubs 134 and 136, each of which is instantiated and/or created by the IAMH 102, and each of which is coupled to and/or in communication with the IAMH 102 and also the IDP 108 and the IDP 110, respectively).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it improves enhancement to policy enforcement by using hierarchical structure approach.

Regarding claim 9, the combination of Wilson and Kamal teaches all of the limitations of claim 1, as described above. Kamal further teaches wherein the determining is performed by one or more of at least one device (FIG. 1 and 4, para. 0053, IDP 110 verifies the incoming claims, at 414 (e.g., including one or more aspects of the digital identity of the user, etc.), and (optionally) provides outgoing claims (e.g., results of the verification, etc.)) associated with the given resource and a hosted claims verification service (FIG. 4 and para. 0022 and 0054, user attempts to access a secure resource (e.g., account data, etc.) associated with the relying party 106, upon access to the website (or mobile application). To do so, the user provides the authentication token and one or more outgoing claims (e.g., the fraud score, etc.) to access the secure resource, at 432, whereupon the relying party 106 checks the claims, at 434, and checks the token, at 436, with the IAMH 102).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it improves the efficiencies and/or performance of the processor 202 and/or other computer system components configured to perform one or more of the various operations herein (Kamal, para. 0037).

Regarding claims 10, 15 and 19, the combination of Wilson and Kamal teaches all of the limitations of claims 1, 12 and 16, respectively, as described above. Kamal further teaches wherein the at least one policy is defined by presenting a plurality of approved issuers (FIG. 2 and para. 0038, the computing device 200 also includes an output device 206 that is coupled to (and in communication with) the processor 202. The output device 206 outputs information (e.g., prompts to provide biometrics, etc.)) for selection as part of the at least one policy (para. 0022, communicate policies and exchange claims with the IAMH 102 for user authentication and/or authorization (e.g., claims such as name, mailing address, age, social security number, etc.)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it improves the efficiencies and/or performance of the processor 202 and/or other computer system components configured to perform one or more of the various operations herein (Kamal, para. 0037).

 Regarding claims 11 and 20, the combination of Wilson and Kamal teaches all of the limitations of claims 1 and 16, respectively, as described above. Kamal further teaches wherein a collection of the verifiable claim is delegated to at least one user device (FIG. 1 and para. 0052, The relying party 106, through the website, at the communication device 140 then captures the claims, at 408 (e.g., via the input device 208 of the communication device 140, etc.), from the user and communicates the claims, at 410, to the IAMH 102).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it improves security by using multiple ways of verifying claims.

Regarding claims 14 and 18, the combination of Wilson and Kamal teaches all of the limitations of claims 12 and 16, respectively, as described above. Kamal further teaches wherein the at least one policy is stored by at least one policy hub (FIG. 1 and para. 0026, a policy manager 118 for enforcing the policies associated with the IAMH 102, whereby the policy manager 118 may be configured to define role based access control for tenants, to define user profiles and access privileges, and/or to define rules for access tokens for digital service), wherein a plurality of the at least one policy hub is organized in a hierarchical structure, such that a given one of a plurality of the at least one policy is applied to the given resource in a predictable manner (FIG. 1 and para. 0020 and 0028, the primary IAMH 102 is configured to instantiate and/or create secondary hubs (or subsidiary/sub-hubs)that are dedicated to specific ones of the regions and located in those regions. In particular, the illustrated system 100 includes two secondary hubs 134 and 136, each of which is instantiated and/or created by the IAMH 102, and each of which is coupled to and/or in communication with the IAMH 102 and also the IDP 108 and the IDP 110, respectively).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson and Kamal because it improves the efficiencies and/or performance of the processor 202 and/or other computer system components configured to perform one or more of the various operations herein (Kamal, para. 0037).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Wilson and Kamal as applied to claim 1 above, and further in view of Tussy (US 20190311102 A1).

Regarding claim 3, the combination of Wilson and Kamal teaches all of the limitations of claim 1, as described above. Kamal further teaches wherein one or more of the at least one rule are obtained (FIG. 4 and para. 0023, the IAMH 102 is configured to use a fraud score to decide how to handle consumer authentication related to such requests).
In addition, Tussy teaches wherein one or more of the at least one allowed issuer are obtained by scanning a Quick Response code associated with the given resource (para. 0127, the user may have a device code from logging in on another device, or may use the camera to scan QR code or other such code to pair the device to their user account).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Wilson, Kamal and Tussy because there is a need for reliable, cost-effective, and convenient method to authenticate users attempting to log in to, for example, a user account (Tussy, para. 0004).

Allowable Subject Matter
Claim 5 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 



/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437