DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 1, 9-12 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Jarjoui (US 10742422 B1), Teuwen (US 20150188712 A1), Sathianarayanan (US 2020/0401506 A1) and Tovino (US 9699167 B1) in view of Dasarakothapalli (US 10374809 B1).

Regarding Claim 1, Jarjoui discloses, a method, comprising: 
Jarjoui does not explicitly disclose the following limitations that Teuwen teaches:
receiving an encrypted version of a digital signature private key (Teuwen, [0038], The digital signature may be encrypted by a private key ); 
Jarjoui does not explicitly disclose the following limitations that Teuwen teaches:
receiving a request to sign a provided payload, wherein the payload includes an automation script specified to execute on one or more management service instances (Teuwen, [0010], the payload includes: transmitting a request message requesting a resource identified by the URI, wherein the request omits the fragment data; receiving, in response to the request, a script; executing the script to transmit the fragment data to at least one device other than the NFC device.); 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the encrypted version and receive the payload within the script and to execute the services. 

Jarjoui and Teuwen does not explicitly disclose the following limitations that Sathianarayanan teaches: 
validating the automation script, including by modifying the payload to add metadata data associated with the validation to the payload (Sathianarayanan, [0006], Performing the validation includes generating a test payload for the respective test. Generating the test payload includes determining an API reference corresponding to the respective test. Generating the test payload also includes obtaining relevant data from the test data according to a reference key in the respective test); 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the data and the validation of the payload when validating the script.
sending the encrypted version of the digital signature private key to a credential system (Jarjoui, Col. 17, lines 32-35, To decrypt or unlock the outer layer of the double layer of encryption of the key share, the client-side application receives a user's security credentials which exposes the user's private key. ); receiving from the credential system, an unencrypted version of the digital signature private key that is valid for a limited amount of time (Jarjoui, Col. 7, lines 62-67, a flowchart of an example process for obtaining an unencrypted private key, encrypting the unencrypted private key and storing the encrypted private key in a data storage service 150. The digital signing service 310 obtains an unencrypted private key pair (block 310).); 
Jarjoui, Teuwen and Sathianarayanan does not explicitly disclose the following limitations that Tovino teaches:

using the unencrypted version of the digital signature private key to sign the modified payload (Tovino, Col. 4, lines 42-45,  In other examples, the payload itself can be provided as a string that is unencrypted and combined with the signature that is generated in the response to the requestor.); 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to unencrypt the signature of the payload within the private key to enhance security features. 

Jarjoui, Teuwen, Sathianarayanan and Tovino does not explicitly disclose the following limitations that Dasarakothapalli teaches:
and providing the signed modified payload in response to the request to sign the provided payload, wherein the signed modified payload is configured to, in response to a request to execute the automation script on the one or more of the management service instances, be verified using a public key corresponding to the digital signature private key and allow a validation of the automation script at least in part by using the included added metadata (Dasarakothapalli, Col. 11, lines, 7-12, The JWS token may also include a digital signature, which may be generated by combining the encoded header and payload of the JWS token and signing this combination using the server's private cryptographic key of the cryptographic key pair. In some instances, the server may generate the response prior to obtaining the location of the digital certificate.  Col. 5 lines, 19-22, The header may include metadata for the token that may specify the type of digital signature included in the token and the encryption algorithm utilized to generate the digital signature.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the payload and request the signature and request the execution of the scrip of the metadata and validation to enhance security features. 

Regarding Claim 9, Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli disclose, the method of claim 1, wherein the unencrypted version of the digital signature private key is stored in a local cache for the limited amount of time (Jarjoui, Col. 7, lines 62-67, a flowchart of an example process for obtaining an unencrypted private key, encrypting the unencrypted private key and storing the encrypted private key in a data storage service 150. The digital signing service 310 obtains an unencrypted private key pair (block 310).).  

Regarding Claim 10, Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli disclose, the method of claim 9, further comprising expiring the unencrypted version of the digital signature private key from the local cache after the limited amount of time has passed (Jarjoui, Col. 7, lines, 47-53, The digital signing service 120 wipes from the memory cache and/or any other data storage devices all instances of the unencrypted private key and may do so immediately after digitally signing the electronic transaction. The wipe may be performed within 10 ms, 100 ms, 1 second, 1 minute, 10 minutes, 1 hour, or other intervals of the digitally signing of the electronic transaction.).  

Regarding Claim 11, Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli disclose, the method of claim 9, further comprising expiring the unencrypted version of the digital signature private key after the unencrypted version of the digital signature private key has been used for signing more than a threshold number of times (Jarjoui, Col. 9, lines 4-16, In addition to receiving the unencrypted private key, the digital signing service 120 may receive from a client device 110 additional data associated with the electronic account (e.g., previous electronic transactions with date stamps indicating fund transfers to/from the electronic account, the public key associated with the unencrypted private key, balances of electronic currency for the electronic account, account owner information such as name, address, and/or phone numbers.) The digital signing service 120 similarly may provide the associated account data along with the unencrypted private key to the encryption/decryption service 130 to encrypt the associated account data along with the unencrypted private key.).  

Regarding Claim 12, Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli disclose, the method of claim 1, further comprising validating a requester of the request to sign the provided payload (Tovino, 47-53, The authenticator may authenticate the requestor based on the credentials for the requestor and provide the requestor a response that includes a ticket redeemable for accessing resources operating in a hybrid system. The ticket may include payload data and a signature generated by the authenticator.).  

Regarding Claim 19, Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli disclose, a system, comprising: a processor (Teuwen, [0055], includes a processor 520, memory); and Application Serial No. 16/934,438 Attorney Docket No. SERVP0243a memory coupled to the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to: 
Jarjoui does not explicitly disclose the following limitations that Teuwen teaches:
receive an encrypted version of a digital signature private key (Teuwen, [0038], The digital signature may be encrypted by a private key ); 
Jarjoui does not explicitly disclose the following limitations that Teuwen teaches:
receive a request to sign a provided payload, wherein the payload includes an automation script specified to execute on one or more management service instances (Teuwen, [0010], the payload includes: transmitting a request message requesting a resource identified by the URI, wherein the request omits the fragment data; receiving, in response to the request, a script; executing the script to transmit the fragment data to at least one device other than the NFC device.); 
Jarjoui and Teuwen does not explicitly disclose the following limitations that Sathianarayanan teaches: 
validate the automation script, including by modifying the payload to add metadata data associated with the validation to the payload (Sathianarayanan, [0006], Performing the validation includes generating a test payload for the respective test. Generating the test payload includes determining an API reference corresponding to the respective test. Generating the test payload also includes obtaining relevant data from the test data according to a reference key in the respective test); send the encrypted version of the digital signature private key to a credential system (Jarjoui, Col. 17, lines 32-35, To decrypt or unlock the outer layer of the double layer of encryption of the key share, the client-side application receives a user's security credentials which exposes the user's private key. ); receive from the credential system, an unencrypted version of the digital signature private key that is valid for a limited amount of time (Jarjoui, Col. 7, lines 62-67, a flowchart of an example process for obtaining an unencrypted private key, encrypting the unencrypted private key and storing the encrypted private key in a data storage service 150. The digital signing service 310 obtains an unencrypted private key pair (block 310).); 
Jarjoui, Teuwen and Sathianarayanan does not explicitly disclose the following limitations that Tovino teaches:
use the unencrypted version of the digital signature private key to sign the modified payload (Tovino, Col. 4, lines 42-45,  In other examples, the payload itself can be provided as a string that is unencrypted and combined with the signature that is generated in the response to the requestor.); 
Jarjoui, Teuwen, Sathianarayanan and Tovino does not explicitly disclose the following limitations that Dasarakothapalli teaches:
and provide the signed modified payload in response to the request to sign the provided payload, wherein the signed modified payload is configured to, in response to a request to execute the automation script on the one or more of the management service instances, be verified using a public key corresponding to the digital signature private key and allow a validation of the automation script at least in part by using the included added metadata (Dasarakothapalli, Col. 11, lines, 7-12, The JWS token may also include a digital signature, which may be generated by combining the encoded header and payload of the JWS token and signing this combination using the server's private cryptographic key of the cryptographic key pair. In some instances, the server may generate the response prior to obtaining the location of the digital certificate.  Col. 5 lines, 19-22, The header may include metadata for the token that may specify the type of digital signature included in the token and the encryption algorithm utilized to generate the digital signature.).  

Regarding Claim 20,  Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli disclose,  a computer program product, the computer program product being embodied in a non-transitory computer readable medium and comprising computer instructions for: 
Jarjoui does not explicitly disclose the following limitations that Teuwen teaches:
receiving an encrypted version of a digital signature private key (Teuwen, [0038], The digital signature may be encrypted by a private key ); 
Jarjoui does not explicitly disclose the following limitations that Teuwen teaches:
receiving a request to sign a provided payload, wherein the payload includes an automation script specified to execute on one or more management service instances (Teuwen, [0010], the payload includes: transmitting a request message requesting a resource identified by the URI, wherein the request omits the fragment data; receiving, in response to the request, a script; executing the script to transmit the fragment data to at least one device other than the NFC device.); 
Jarjoui and Teuwen does not explicitly disclose the following limitations that Sathianarayanan teaches: 
validating the automation script, including by modifying the payload to add metadata data associated with a validation to the payload (Sathianarayanan, [0006], Performing the validation includes generating a test payload for the respective test. Generating the test payload includes determining an API reference corresponding to the respective test. Generating the test payload also includes obtaining relevant data from the test data according to a reference key in the respective test); sending the encrypted version of the digital signature private key to a credential system (Jarjoui, Col. 17, lines 32-35, To decrypt or unlock the outer layer of the double layer of encryption of the key share, the client-side application receives a user's security credentials which exposes the user's private key. ); receiving from the credential system, an unencrypted version of the digital signature private key that is valid for a limited amount of time (Jarjoui, Col. 7, lines 62-67, a flowchart of an example process for obtaining an unencrypted private key, encrypting the unencrypted private key and storing the encrypted private key in a data storage service 150. The digital signing service 310 obtains an unencrypted private key pair (block 310).); 
Jarjoui, Teuwen and Sathianarayanan does not explicitly disclose the following limitations that Tovino teaches:
using the unencrypted version of the digital signature private key to sign the modified payload (Tovino, Col. 4, lines 42-45,  In other examples, the payload itself can be provided as a string that is unencrypted and combined with the signature that is generated in the response to the requestor.); 
Jarjoui, Teuwen, Sathianarayanan and Tovino does not explicitly disclose the following limitations that Dasarakothapalli teaches:
and Application Serial No. 16/934,438 Attorney Docket No. SERVP0244providing the signed modified payload in response to the request to sign the provided payload, wherein the signed modified payload is configured to, in response to a request to execute the automation script on the one or more of the management service instances, be verified using a public key corresponding to the digital signature private key and allow the validation of the automation script at least in part by using the included added metadata (Dasarakothapalli, Col. 11, lines, 7-12, The JWS token may also include a digital signature, which may be generated by combining the encoded header and payload of the JWS token and signing this combination using the server's private cryptographic key of the cryptographic key pair. In some instances, the server may generate the response prior to obtaining the location of the digital certificate.  Col. 5 lines, 19-22, The header may include metadata for the token that may specify the type of digital signature included in the token and the encryption algorithm utilized to generate the digital signature.).





Claims 2-6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jarjoui (US 10742422 B1), Teuwen (US 20150188712 A1), Sathianarayanan (US 2020/0401506 A1), Tovino (US 9699167 B1) and Dasarakothapalli (US 10374809 B1) in view of Patiejunas (US 8805793 B2).

Regarding Claim 2, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Patiejunas disclose, 

Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Patiejunas teaches:
the method of claim 1, wherein the added metadata data associated with the validation to the payload includes an execution configuration, a run as setting, and at least one identifier of the one or more of the management service instances (Patiejunas, Col. 10, lines 9-14, In various embodiments, a job record may include information related to the execution of a job such as a customer account identifier, job identifier, data object identifier, reference to payload data cache 228 (described below), job status, data validation information and the like. In some embodiments, job tracker 230 may collect information necessary to construct a job record from multiple requests.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the configuration of the payload when executed, the settings and the identifier that are associated with the validation of the service instances to enhance security. 

Regarding Claim 3, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Patiejunas disclose, the method of claim 2, 

Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Patiejunas teaches:
wherein the execution configuration is stored in a security token (Patiejunas, Col. 19, lines 54-56, In some embodiments, process 500 may include receiving 502 multiple storage requests each including a portion of larger payload data.   Col. 13, lines 60-63, In an embodiment, storage node manager 244 performs data encoding according to one or more data encoding schemes before data storage to provide data redundancy, security and the like).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to store the execution into the security token to enhance security.

Regarding Claim 4, Jarjoui, Teuwen, Sathianarayanan, TOvino, Dasarakothapalli and Patiejunas disclose, the method of claim 2, 

Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Patiejunas teaches:
wherein the execution configuration specifies an expiration time or a total allowable execution count, and wherein the execution configuration is associated with one or more instances of the automation script executing on the one or more management service instances (Patiejunas, Col. 35, lines, 42-46, The server(s) also may be capable of executing programs or scripts in response requests from user devices, such as by executing one or more Web applications that may be implemented as one or more scripts or programs written in any programming language). 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to configure the expired time within the execution of the script services to enhance security features. 
 
Regarding Claim 5, Jarjoui, Teuwen, Sathianarayanan, TOvino, Dasarakothapalli and Patiejunas disclose the method of claim 4, wherein the total allowable execution count is one (Jarjoui, Col. 20, lines 62-66, a computer system within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.).
  
Regarding Claim 6, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Patiejunas disclose, the method of claim 4, 

Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Patiejunas teaches:
wherein the expiration time is a time limit (Patiejunas, Col. 27, lines, 13-15, In some embodiments, the expiration time may be further associated with a grace period during which data is still available or recoverable.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to the expiration of the time to enhance security features. 

Regarding Claim 18, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Patiejunas disclose, the method of claim 1, wherein the automation script specified to execute on the one or more management service instances is configured to provide a return result to an execution requester of the automation script (Patiejunas, Col. 13, lines 4-8, the return path, the archival data storage service may be configured to re-validate that the data that is being returned to the customer is matched against the request and/or that no substitution during execution happens due to a bug in the code or other the like.).  

Claims 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Jarjoui (US 10742422 B1), Teuwen (US 20150188712 A1), Sathianarayanan (US 2020/0401506 A1), Tovino (US 9699167 B1) and Dasarakothapalli (US 10374809 B1) in view of Ward (US 8369521 B2).

Regarding Claim 7, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Ward disclose, the method of claim 1, 
Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli does not explicitly disclose the following limitations that Ward teaches:
further comprising storing the received encrypted version of the digital signature private key on a local data store in a protected key store (Ward, Col. 2, lines 30-36, an encryption key management service can be used to create encryption keys that are linked to an X509 certificate's private key. Such a service can use smart card based multi-factor authentication to protect an encryption key store. Also, such a service can store and manage encryption keys without having to store sensitive information on the local file system.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the signature of the private key within the encrypted version of the protected key store to enhance security.

Regarding Claim 8, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Ward disclose, 
Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli does not explicitly disclose the following limitations that Ward teaches:
the method of claim 7, further comprising receiving a passphrase for the protected key store (Ward, Col.2, 27-30, Many of today's encryption key store services protect the encryption keys by encrypting them with an encryption key password that is a secret (i.e., known only to the user) and is used as a master key to encrypt.    Col. 2, lines 34-35, Such a service can use smart card based multi-factor authentication to protect a password store. Also, such a service can store and manage passwords without having to store sensitive information on the local file system.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the password of the key store to enhance security.


Claims 13-16 are rejected under 35 U.S.C. 103 as being unpatentable over Jarjoui (US 10742422 B1), Teuwen (US 20150188712 A1), Sathianarayanan (US 2020/0401506 A1), Tovino (US 9699167 B1) and Dasarakothapalli (US 10374809 B1) in view of Chan (US 10693901 B1).

Regarding Claim 13, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Chan disclose, the method of claim 12, 

Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Chan teaches:
wherein the validation of the requester includes a session validation and a whitelist validation (Chan, Col. 8, lines 64-67, If multipart/form-data request is detected, the HTTP/HTTPS request is considered a file upload request, and the file type of the data being uploaded may be checked against a whitelist ).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to validate the whitelist within the requester to enhance security.


Regarding Claim 14, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Chan disclose, the method of claim 13, 
Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Chan teaches:
wherein the session validation is mutually authenticated (Chan, Col. 10, lines 33-34, The device fingerprint may be registered when a user is authenticated and a session ID is generated.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to authenticate the validation to enhance security.


Regarding Claim 15, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Chan disclose, the method of claim 13, 

Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Chan teaches:
wherein the whitelist validation includes a domain, a sub-domain, or an IP address whitelist validation (Chan, Claim 4, The server system according to claim 3, wherein the at least one rule for input validation is based on one or more whitelists of threat or attack patterns.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the IP address of the whitelist and to validate it to enhance security features.

Regarding Claim 16, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Chan disclose, 

Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Chan teaches:
the method of claim 15, wherein the IP address whitelist validation includes an IP address range (Jarjoui, Col. 6, lines 17-20, The system 100 may optionally perform a validation operation to determine whether the public address to which the funds are being transferred to is on an approved list (e.g., a public address white list).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the validation of the IP address within the whitelist to enhance security. 


Claims 17 is rejected under 35 U.S.C. 103 as being unpatentable over Jarjoui (US 10742422 B1), Teuwen (US 20150188712 A1), Sathianarayanan (US 2020/0401506 A1), Tovino (US 9699167 B1) and Dasarakothapalli (US 10374809 B1) in view of Shrivastava (US 2021/0279079 A1).

Regarding Claim 17, Jarjoui, Teuwen, Sathianarayanan, Tovino, Dasarakothapalli and Shrivastava disclose, the method of claim 1, 
Jarjoui, Teuwen, Sathianarayanan, Tovino and Dasarakothapalli does not explicitly disclose the following limitations that Shrivastava teaches:
wherein validating the automation script includes analyzing the automation script to detect a security threat (Shrivastava, [0124], In one embodiment, the processor further performs a validation check for blacklisted APIs or global objects. These APIs are disallowed from usage in custom rule scripts, in some cases because they present a security risk to the mobile application system).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to analyze the script which will detect any security threats to enhance security features.


Conclusion
25. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433