DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephonic interview with the Applicant’s representative, Sean Crandall (Reg. No. 57,776) on April 28, 2022.  Mr. Crandall has agreed and authorized the examiner to amend claims 1, 9-11, 13, 15, and 17-20, and claims 7-8, 12, and 16 have been authorized to be canceled.

The claims have been amended as follows:

Claims
1.	(Currently Amended) An enrollment over secure transport (EST)-capable gateway device, comprising: 
a hardware platform comprising a processor circuit and a memory;
a first network interface to communicatively couple to an external network, including an external domain name system (DNS) server;
a second network interface to communicatively couple to a home network; and
instructions encoded within the memory to instruct the processor circuit to provide:
a caching domain name system (DNS) server comprising a local domain name system (DNS) cache, and logic to provide domain name system (DNS) services to the home network; and
an enrollment over secure transport (EST) proxy to authenticate to a local endpoint on the home network, provision a domain name system (DNS) server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint;
wherein the EST proxy is further to receive a client identity certificate enroll request, create a unique identifier for the local endpoint, enroll the local endpoint on an internet service provider (ISP) domain name system (DNS) server with the unique identifier, and receive an ISP’s domain name system over transport layer security/domain name system over hypertext transfer protocol secure (DTLS/DoH) capable (DNS) server certificate; 
wherein receiving the ISP’s DTLS/DoH capable DNS server certificate comprises discovering an enrollment over secure transport (EST) server on a network of the ISP, establishing a provisional transport layer secure (TLS) connection with the EST server, authenticating the EST server, and receiving the ISP’s server certificate. 
7. 	(Canceled)
8. 	(Canceled)
9.	(Currently Amended) The EST-capable gateway device of claim [[8]] 1, wherein discovering the EST server comprises using standard discovery protocols.
10.	(Currently Amended) The EST-capable gateway device of claim[[ 8]] 1, wherein authenticating to the EST server comprises authenticating via Password-Authenticated Key Agreement (PAKE).
11.	(Currently Amended) The EST-capable gateway device of claim 1, wherein the EST proxy is further to add an encrypted universally unique identifier (UUID) to a transmission control protocol (TCP) option in a session initiation packet. 
12.	(Canceled) 
13.	(Currently Amended) One or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions to:
communicatively coupling a first network interface to an external network, including an external domain name system (DNS) server;
communicatively coupling a second network interface to a home network; and

provide by a caching domain name system (DNS) server, comprising a local domain name system (DNS) cache, and logic to provide domain name system (DNS) services to the home network; 
provide encrypted DNS services to the home network, comprising authenticating, by an enrollment over secure transport (EST) proxy, to a local endpoint on the home network, provisioning a domain name system (DNS) server certificate on the local endpoint, provisioning an authentication domain name (ADN) on the local endpoint;
wherein providing encrypted DNS services to the home network further comprises receiving, by the EST proxy, a client identity certificate enroll request, creating a unique identifier for the local endpoint, enrolling the local endpoint on an internet service provider (ISP) DNS server with the unique identifier, and receiving an ISP’s domain name system over transport layer security/domain name system over hypertext transfer protocol secure (DTLS/DoH) capable DNS server certificate; 
wherein receiving the ISP’s DTLS/DoH capable DNS server certificate comprises discovering an enrollment over secure transport (EST) server on a network of the ISP; establishing a provisional transport layer secure (TLS) connection with the EST server; authenticating the EST server; and receiving the ISP’s server certificate.
15.	(Currently Amended) The one or more tangible, non-transitory computer-readable media of claim 14, wherein communicatively coupling to the remote endpoint comprises communicatively coupling to a lightweight enrollment over secure transport (EST) agent of the remote endpoint. 
16.	(Canceled)
17.	(Currently Amended) A computer-implemented method of provisioning a privacy & security enabled DNS services via an enrollment over secure transport (EST) proxy on a home gateway, comprising:
communicatively coupling a first network interface to an external network, including an external DNS server;
communicatively coupling a second network interface to a home network; and

provide by a caching domain name system (DNS) server, comprising a local domain name system (DNS) cache, and logic to provide domain name system (DNS) services to the home network;

 
providing encrypted DNS services to the home network, comprising authenticating, by an enrollment over secure transport (EST) proxy, to a local endpoint on the home network, provisioning a domain name system (DNS) server certificate on the local endpoint, and provisioning an authentication domain name (ADN) on the local endpoint; 
wherein providing encrypted DNS services to the local endpoint further comprises receiving, by an EST proxy, a client identity certificate enroll request, creating a unique identifier for the local endpoint, enrolling the local endpoint on an internet service provider (ISP) domain name system (DNS) server with the unique identifier, and receiving an ISP’s domain name system over transport layer security/domain name system over hypertext transfer secure (DTLS/DoH) Capable DNS server certificate; 
wherein receiving the ISP’s DTLS/DoH capable DNS server certificate comprises discovering an enrollment over secure transport (EST) server on a network of the ISP; establishing a provisional transport layer secure (TLS) connection with the EST server; authenticating the EST server; and receiving the ISP’s server certificate.
18.	(Currently Amended) The method of claim 17, further comprising adding an encrypted universally unique identifier (UUID) to a transmission control protocol (TCP) option in a session initiation packet.
19.	(Currently Amended) The method of claim 17, wherein the  caching DNS server  is to  provide DNS over transport layer security (DTLS).
20.	(Currently Amended) The method of claim 17, wherein the  caching DNS  server is to provide DNS over hypertext transfer protocol secure (DoH).

Examiner’s Statement of Reasons for Allowance

Claims 1-6, 9-11, 13-15, and 17-20 are allowable.
The following is an Examiner’s statement for reasons for allowance:
The system and method is directed to using a secure bootstrapping protocol known as “enrollment over secure transport” (EST) to bootstrap the endpoints into the trusted (e.g., home or enterprise) environment. This is done with a client identity certificate and a DNS server certificate. The provisioned certificates enable the endpoint to continue using the trusted DOH/DOT capable DNS server during roaming.  The minimal agent on the endpoint device derives an ADN for the DNS server from the DNS-ID identifier within the subjectAltName field of the DNS server certificate.
This mechanism provides a lightweight EST proxy deployed on the home or enterprise gateway (middle box, such as SHP). There may also be provisioned a minimal agent on the endpoint. The minimal agent on the endpoint is responsible for discovering and authenticating the EST proxy. Once authenticated, the agent can receive the secure DNS server's DNS server certificate, and provision it on the client along with the ADN. The agent on the endpoint also sends a client identity certificate enroll request to the EST proxy. The EST proxy then creates a
unique identifier for the endpoint, and completes the enrollment process with the hosted privacy enabling DNS server on the ISP’s network. Upon receiving the signed identity certificate, the agent provisions it on the endpoint and uses it to authenticate itself to the DNS server over the untrusted network. This helps the privacy enabling DNS server to identify the endpoint and enforce the appropriate DNS privacy and security.  Advantageously, because the ISP is assumed to have a publicly accessible address, this security can be provided even when the home user is away or on a different network.
The prior art of Ericksen et al. (2020/0344607) discloses zero touch configuration proxy to perform operations for provisioning user equipment devices.  The proxy receives a service request and a client certificate, and based on the information included in the certificate the user equipment is authorized to access a configuration file.  Ericksen (2020/0344607) does not disclose or suggest, “an enrollment over secure transport (EST) proxy to authenticate to a local endpoint on the home network, provision a domain name system (DNS) server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint; wherein the EST proxy is further to receive a client identity certificate enroll request, create a unique identifier for the local endpoint, enroll the local endpoint on an internet service provider (ISP) domain name system (DNS) server with the unique identifier, and receive an ISP’s domain name system over transport layer security/domain name system over hypertext transfer protocol secure (DTLS/DoH) capable (DNS) server certificate; wherein receiving the ISP’s DTLS/DoH capable DNS server certificate comprises discovering an enrollment over secure transport (EST) server on a network of the ISP, establishing a provisional transport layer secure (TLS) connection with the EST server, authenticating the EST server, and receiving the ISP’s server certificate”.
The prior art of Irwan et al. (10,270,770) discloses mutual authentication between the device and the security gateway may occur when the gateway authenticates to the device and the device authenticates to the gateway.  If both the device and the gateway are mutually authenticated, and then the security gateway enrolls the device into the customer trust.    The security gateway may initiate enrollment with certificate authority using enrollment over secure transport protocol.  The prior art of Irwan et al. (10,270,770) does not disclose or suggest, “an enrollment over secure transport (EST) proxy to authenticate to a local endpoint on the home network, provision a domain name system (DNS) server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint; wherein the EST proxy is further to receive a client identity certificate enroll request, create a unique identifier for the local endpoint, enroll the local endpoint on an internet service provider (ISP) domain name system (DNS) server with the unique identifier, and receive an ISP’s domain name system over transport layer security/domain name system over hypertext transfer protocol secure (DTLS/DoH) capable (DNS) server certificate; wherein receiving the ISP’s DTLS/DoH capable DNS server certificate comprises discovering an enrollment over secure transport (EST) server on a network of the ISP, establishing a provisional transport layer secure (TLS) connection with the EST server, authenticating the EST server, and receiving the ISP’s server certificate”.
The prior art of Cathrow et al. (2017/0222974) discloses receiving, at an agent operating on a client device, a domain name system DNS resolution request for a domain name.  The DNS resolution request is transmitted to a first DNS server including a firewall service and a second DNS server within a local network to the client device.  Responses to the DNS resolution request from the first and second DNS server are received.  The agent determines how to resolve the DNS resolution request based on one or more of the received responses.  The prior art of Cathrow et al. (2017/0222974) does not disclose or suggest, “an enrollment over secure transport (EST) proxy to authenticate to a local endpoint on the home network, provision a domain name system (DNS) server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint; wherein the EST proxy is further to receive a client identity certificate enroll request, create a unique identifier for the local endpoint, enroll the local endpoint on an internet service provider (ISP) domain name system (DNS) server with the unique identifier, and receive an ISP’s domain name system over transport layer security/domain name system over hypertext transfer protocol secure (DTLS/DoH) capable (DNS) server certificate; wherein receiving the ISP’s DTLS/DoH capable DNS server certificate comprises discovering an enrollment over secure transport (EST) server on a network of the ISP, establishing a provisional transport layer secure (TLS) connection with the EST server, authenticating the EST server, and receiving the ISP’s server certificate”.
The non-patent literature of Mini TT (Title: Secure Device Identifiers and Device Enrollment in Industrial Control System) teaches devID certificates are a subset of the X.509. devID certificates, issued by a given CA for distinct devices, has a unique subject name. Creation of a devID certificate requires knowledge of the public key corresponding to the devID secret to be used with that certificate and knowledge of the attribute values to be included in the device’s subject name. Recommended method is for the device to generate a key pair, generate and sign a Certificate Signing Request. The Certificate Authority(CA) validates the CSR, construct the devID certificate, and return it to the device for insertion into the devID module. The devID certificate is used to identify the manufacturer of the device, the device type, and the device serial number. A voucher provided by the device manufacturer to the customer is used to confirm that a device of that type and with that serial number has been shipped to that customer. The manufacturer of the device makes the devID trust anchor information available to the customer. The devID module includes the entire certificate chain for each devID up to the trust anchor.  The non-patent literature of Mini TT does not disclose or suggest, “an enrollment over secure transport (EST) proxy to authenticate to a local endpoint on the home network, provision a domain name system (DNS) server certificate on the local endpoint, provision an authentication domain name (ADN) on the local endpoint, and provide encrypted domain name system (DNS) services to the local endpoint; wherein the EST proxy is further to receive a client identity certificate enroll request, create a unique identifier for the local endpoint, enroll the local endpoint on an internet service provider (ISP) domain name system (DNS) server with the unique identifier, and receive an ISP’s domain name system over transport layer security/domain name system over hypertext transfer protocol secure (DTLS/DoH) capable (DNS) server certificate; wherein receiving the ISP’s DTLS/DoH capable DNS server certificate comprises discovering an enrollment over secure transport (EST) server on a network of the ISP, establishing a provisional transport layer secure (TLS) connection with the EST server, authenticating the EST server, and receiving the ISP’s server certificate”.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





4/28/2022
/J.E.J/Examiner, Art Unit 2439

/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439