Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 13-19 are objected to because they are duplicates of claims  respectively.  Appropriate correction is required.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 300, 400, 500, 600, 700, 800, 900, 940, 1000, 1100, 1200, and 1300.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 2, 3, 7, 8, 10, 11, 13, 14, 16, 17, 19, and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 2 and 13 recite the limitation “the third service”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “a third service”.
Claims 3 and 14 recite the limitation “the decrypted private key”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “a decrypted private key”.
Claims 7, 8, 10, 16, 17 and 19 recite the limitation “the server”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “a server”.
Claims 4, 7, 16, and 20 recite the limitation “the third-party service”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “a third-party service”.
Claims 7 and 16 recite the limitation “the access token”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “an access token”.
Claims 10 and 19 recite the limitation “the access token”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “the second access token”.

Claims 8, 11, and 17 recite the limitation “the encrypted private key”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “an encrypted private key”.
Claim 10 recites the limitation “the encrypted key”. There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination, this limitation is interpreted as “an encrypted key”.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 8, 11, 12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over CHENG (US-20190280864-A1) in view of HAMEL (US-20190305952-A1), hereinafter CHENG-HAMEL.
Regarding claim 1, CHENG teaches “A method for performing non-custodial authentication for a client, comprising: generating a private key by the client, the client associated with a user;” ([CHENG, Para. 0065] “Cryptocurrency (e.g., Bitcoin, Ethereum) funds and appropriate operations on them are intrinsically linked to asymmetric cryptography keys: funds are received at addresses based on public keys and spent using private keys that confirm ownership.”) … ([CHENG, Para. 0081] “In one additional embodiment, the SFTSP includes Deterministic Derivation of Cryptocurrency Signing Keys with Split Master Seed and Enforcement of M-of-N Authentication Policy. This supports the SFTSP with innovations in Bitcoin, Ethereum and Blockchain, new service and product offerings in cryptocurrency.”) … ([CHENG, Para. 0159] “A RSA key pair may be generated at 607. In one embodiment, a RSA key pair (e.g., a RSA public key and a corresponding RSA private key) may be predefined (e.g., for a HSM) ……. In another embodiment, a RSA key pair may be generated dynamically (e.g., each time transaction signing is executed).”) … ([CHENG, Para. 0384] “Users, which may be people and/or other systems, may engage information technology systems (e.g., computers) to facilitate information processing ……. These information technology systems provide interfaces that allow users to access and operate various system components.”) … ([CHENG, Para. 0414] “The cryptographic component facilitates the process of “security authorization” whereby access to a resource is inhibited by a security protocol wherein the cryptographic component effects authorized access to the secured resource.”) generating, at the client, … token … from the private key; ([CHENG, Para. 0085] “FIG. 1B shows an exemplary architecture for the SFTSP. As shown in FIG. 1B, two master private key (or seed) shares of a master private key (e.g., a 64-byte seed) were generated (e.g., via Shamir's Secret Sharing) and stored on HSMs. Seed share one (e.g., a 64-byte seed share) was generated and/or stored (e.g., with proper attributes) on Gemalto's ProtectServer PCI-e HSM.”) … ([CHENG, Para. 0087] “CKA_TOKEN=whether a seed share is a permanent or a transient/session object on HSM”) … ([CHENG, Para. 0234] “In one implementation, upon generating a master key on a HSM, the master key may be split into master key shares inside the HSM.”) and authenticating the user for an application ….. ([CHENG, Para. 0182] “FIG. 8 shows an exemplary authentication model for the SFTSP. In FIG. 8, M-of-N authentication utilizing an HSM is illustrated. For example, in order to start a highly sensitive business application operation (e.g., transaction signing for a transfer of large funds between accounts, key backup, key recovery), several physically present persons may have to authenticate to the HSM.”) … ([CHENG, Para. 0235] “FIG. 18 shows an exemplary key recovery model for the SFTSP. In FIG. 18, a seed (e.g., master key) may be recovered from seed shares. Seed shares utilized to recover the seed (e.g., a minimum number of seed shares) may be transferred from their storage locations to a recovery center. Operators participating in the key recovery process may enter the seed shares into a reading device 1820 (e.g., each operator may hold and enter a single seed via a barcode reader, keyboard, USB drive, hard drive, portable HSM, etc.), and the reading device may transfer the seed shares to a recovery utility 1805. The recovery utility may request that a seed hosting HSM 1801 (e.g., Gemalto's G5 HSM), which will host the recovered seed and which supports M-of-N authentication, generate a RSA key pair and provide the generated public key. Operators may approve the key pair generation and seed recovery process by authenticating to an authentication entry device associated with the hosting HSM”).
However, CHENG does not teach generating “a decentralized identifier token (DIDT) …. authenticating the user for an application based on the DIDT”.
In analogous teaching, HAMEL teaches generating “a decentralized identifier token (DIDT) ([HAMEL, para. 0117] “A system for credential storing and verifying using a distributed ledger is disclosed. The system includes an interface and a processor. The interface is configured to receive an indication to register a credential. The processor is configured to indicate to store in a distributed ledger a decentralized identifier (DID) document associated with a holder identifier using a smart contract,”) … ([HAMEL, para. 0223] “In 8D06, user is registered with distributed ledger. For example, a DID keypair that is associated with the user is generated on the mobile device and sent to the DCIAMS to be registered as a DID document with the distributed ledger.”) …. authenticating the user for an application based on the DIDT.” ([HAMEL, para. 0099] “The system for digital credentialing is designed to empower individual users to own their verifiable professional identity and to be able to enable this identity to be useable in scenarios where a verified identity allows access by providing proof of identity. An application might use the system to prove the identity or verify a user's access ability to something.”) ([HAMEL, para. 0175] “In the example shown, in 5F00, a DID document is retrieved from a distributed ledger based on target DID in proof response. In 5F02, it is determined whether a public key from a decentralized ledger matches a DID (e.g., a decentralized identifier) in a credential (e.g., a credential of the proof response). In the event it is determined that a public key from a decentralized ledger does not match a DID in the credential, control passes to 5F14. In the event it is determined in 5F02 that that a public key from a decentralized ledger matches a DID in the credential, control passes to 5F04. In 5F04, it is determined whether the credential is one of a set of credentials that can enable authorization to access.”).
Thus, given the teaching of HAMEL, it would have been obvious to one of ordinary skill
in the art before the effective filling date of the claimed invention to combine the teaching of a decentralized identifier token as taught by HAMEL into the teaching of a method for performing non-custodial authentication for a client as taught by CHENG. One of ordinary skill in the art would have been motivated to do so because HAMEL recognizes the need to improve the security off authentication systems. ([HAMEL, para. 0150] “The credential authentication system makes a computer system better by improving security and access control.”) ([HAMEL, para. 0121] “The system makes a computer better by improving the ability to provide secure access. The system provides for checks ensuring that a writer and user are allowed to write to a distributed ledger and that an item to be stored is valid and unique and is successfully stored. The system further provides checks to validate a credential with stored information on the distributed ledger including schema information, credential definition information, as well as DID documents related to a holder and an issuer of a credential. The system therefore allows for making the system more secure by providing secure access to appropriate users based on a verifiable and trustworthy credential.”).


Regarding claims 8 and 17, CHENG-HAMEL teaches all limitations of claim 1. CHENG further teaches “The method of claim 1, further comprising uploading the encrypted private key from the client to the server.” ([CHENG, Para. 0112] “The portable HSM may provide the encrypted master private key to the SFTS module via a master key response message 541.”) … ([CHENG, Para. 0113] “The SFTS module may send SFTS response data 545 to the HSM in response to the SFTS API call.”).


Regarding claim 11, CHENG-HAMEL teaches all limitations of claim 1. CHENG further teaches  “further comprising: signing transaction data based on the encrypted private key; and submitting the transaction data to be stored at a plurality of linked peer-to-peer computers that store data in blocks that are linked together.” ([CHENG, Para. 0066] “Operations are published on the Blockchain and become publicly visible”) … ([CHENG, Para. 0081] “In one additional embodiment, the SFTSP includes Deterministic Derivation of Cryptocurrency Signing Keys with Split Master Seed and Enforcement of M-of-N Authentication Policy. This supports the SFTSP with innovations in Bitcoin, Ethereum and Blockchain, new service and product offerings in cryptocurrency.”) … ([CHENG, Para. 0291] “FIG. 25 shows a logic flow diagram illustrating embodiments of a transaction server transaction signing (TSTS) component for the SFTSP. In FIG. 25, a transaction signing request may be obtained at 2502. For example, the transaction signing request may be obtained as a result of a user utilizing a UI of an online transaction signing runtime CLI program to initiate transaction signing (e.g., a fund transfer EOA transaction on Ethereum blockchain) using a master key associated with a hierarchical deterministic wallet.”) … ([CHENG, Para. 0356] “The signed transaction data and/or the encrypted third master private key share may be returned at 2929. In one implementation, the transferable data (e.g., the signed transaction data and/or the encrypted third master private key share) may be an output of the hot SFTS API call.”).

Regarding claim 12, claim 12 teaches of a non-transitory computer readable storage medium comprising the features of claim 1. Therefore, claim 12 is rejected in a similar manner as in the rejection of claim 1. CHENG further teaches ([CHENG, Para. 0401] “Generally , any mechanization and / or embodiment allowing a processor to affect the storage and / or retrieval of information is regarded as memory 3229 …… A storage device 3214 may be any various computer system storage . Storage devices may include …. processor-readable storage mediums; and / or other devices of the like . Thus , a computer systemization generally requires and makes use of memory .”)


Claims 2-6, 13-15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over CHENG- HAMEL in view of MACHANI (US-10225084-B1), hereinafter CHENG-HAMEL-MECHANI.
Regarding claim 2 and 13, CHENG-HAMEL teaches all limitations of claim 1. However, CHENG does not teach “further comprising: receiving an access token from a remote service by a client from a server; and receiving scoped credentials from the remote service based on the access token, the scoped credentials providing client authorization to the third service.”.
In an analogous teaching, MECHANI teaches “further comprising: receiving an access token from a remote service by a client from a server; and receiving scoped credentials from the remote service based on the access token, the scoped credentials providing client authorization to the third service.” ([MECHANI, Col. 4 lines 38-48 ] “Device 1 100 uses the authorization grant to obtain access token from authorization server 190. For example, client 108 authenticates to authorization server 190, and presents the authorization grant to access token generation logic 196. The access token generation logic 196 responds by validating the authorization grant and issuing the access token to the client 108. The access token in this embodiment represents an authorization that contains credentials, which are different from the authorization grant obtained from the first user 125, and which allows access to content in the content management server 180.”) … ([MECHANI, col. 4 lines 53-57] “Also, it should be noted that upon validating the authorization grant, the access token generation logic 196 may also issue a refresh token to the client 108. The refresh token may contain credentials…”)
Thus, given the teaching of MECHANI, it would have been obvious to one of ordinary skill
in the art before the effective filling date of the claimed invention to combine the teaching of receiving access tokens and credentials from remote services as taught by MECHANI into the teaching of a method for performing non-custodial authentication for a client as taught by CHENG-HAMEL. One of ordinary skill in the art would have been motivated to do so because MECHANI recognizes the need to improve the security of content sharing. ([MECHANI, col. 1 lines 35-38] “Given the unparalleled growth in fraudulent activity, there is therefore a need for solutions for sharing digital content between users while also ensuring the security of the content. The present invention fulfils this and other needs.”).

Regarding claim 3 and 14, CHENG-HAMEL-MECHANI teach all limitations of claim 2. CHENG further teaches “further comprising accessing an encrypted copy of the private key; providing the encrypted copy of the private key and the scoped credentials to the remote service; and receiving the decrypted private key by the client from the remote service.” ([CHENG, para. 0102] “The second HSM may encrypt the master private key using the public key encryption key (e.g., associated with the first HSM), and may respond to the get master request by returning the encrypted master private key to the first HSM. The first HSM may decrypt the master private key using the private key decryption key, may utilize the decrypted master private key and the SFTS module to sign the transaction, and may respond with a signed transaction (e.g., ECDSA signature in DER format). Sensitive operations, such as key derivation and transaction signing, are implemented inside the first HSM appliance and secret key materials are encrypted when transferred between the two HSMs.”) … ([CHENG, para. 0143] “If a portable HSM is being utilized, an encrypted master private key may be obtained at 617. In one implementation, the portable HSM may be queried to obtain the encrypted private master key. For example, the private master key may be encrypted using a public key encryption key (e.g., associated with the HSM) stored by the portable HSM. A private key decryption key for the HSM may be retrieved at 621. In one implementation, the private key decryption key may be determined using a PKCS#11 function (e.g., C_FindObjectsInit( . . . )).”) … ([CHENG, para. 0144-0145] “Although one may choose to use the above to determine the master private key and/or the private key decryption key, in an alternative embodiment, the master private key and/or the private key decryption key may be determined via a MySQL database command (e.g., retrieved from a MySQL database in tamper-proof storage) … The encrypted master private key may be decrypted at 625 using the retrieved private key decryption key.”).

Regarding claim 4, CHENG- HAMEL-MECHANI teach all limitations of claim 3. CHENG further teaches “wherein a hardware security module in communication with the third-party service decrypts and encrypts the private key.” ([CHENG, para. 0102] “The second HSM may encrypt the master private key using the public key encryption key (e.g., associated with the first HSM), and may respond to the get master request by returning the encrypted master private key to the first HSM. The first HSM may decrypt the master private key using the private key decryption key”) … ([CHENG, para. 0256] “The encrypted master key may be provided to the hosting HSM at 2029. For example, the hosting HSM may decrypt and/or store the recovered master key for the specified wallet.”) … ([CHENG, para. 0202] “For example, the RSA public key may be utilized by the hosting HSM to encrypt the master key hosted by the hosting HSM such that the corresponding RSA private key, available to the backup HSM, may be used to decrypt the master key.”) [Examiner’s Note: Here ‘third-party’ is interpreted as other HSMs that are in communication and also able to do the encryption/decryption]

Regarding claim 5, CHENG- HAMEL-MECHANI teach all limitations of claim 4. CHENG further teaches “wherein the hardware security module decrypts and encrypts the private key using a master key that cannot be exported by the remote service.” ([CHENG, para. 0089] “For example, attributes for seed share one may be set to make seed share one sensitive and not exportable. In another example, attributes for seed share two may be set to make seed share two sensitive but exportable.”) … ([CHENG, para. 0106] “The second HSM may encrypt the second master private key share using the public key encryption key (e.g., associated with the first HSM), and may respond to the get master request by returning the encrypted second master private key share to the first HSM. The first HSM may decrypt the second master private key share using the private key decryption key, may utilize the decrypted second master private key share, the first master private key share, any other master private key share(s)”) … ([CHENG, para. 0274] “When key shares are created (e.g., from a master private key in a key-generation ceremony), one share may be marked as non-extractable on the designated HSM device where the FM with Shamir's Secret Sharing is deployed. HSM storage of this share, under certified FIPS 140-2 level 3 protections, ensures the entire master private key is not vulnerable to key theft since it is not exposed outside of the HSM.”).

Regarding claim 6 and 15, CHENG- HAMEL-MECHANI teach all limitations of claim 2. CHENG further teaches “further comprising: transmitting the generated private key and scoped credentials to a remote hardware security module; and receiving an encrypted private key from the hardware security module.” ([CHENG, para. 0101] “The first HSM may send a get master request to a second HSM 440. For example, the second HSM may be a portable USB HSM. The second HSM's tamper-proof storage (e.g., the second HSM's firmware) may store a master private key (e.g., an ECDSA private key) 444 and a public key encryption key (e.g., an RSA public key that corresponds to the RSA private key stored in the first HSM's tamper-proof storage) 446. In one embodiment, the second HSM may include a split credentials PIN entry device (PED) to provide for multiple-person (e.g., M-of-N) user access rule for HSM activation and/or operation (e.g., 2-of-3 operation enforcement that allows access to the master private key if at least two out of three people provide their separate credentials to the second HSM).”) … ([CHENG, para. 0102] “The second HSM may encrypt the master private key using the public key encryption key (e.g., associated with the first HSM), and may respond to the get master request by returning the encrypted master private key to the first HSM.”).

Regarding claim 20, this claim recites features similar to those recited in claims 1 and 2 therefore, claim 20 is rejected in a similar manner as in the rejection of claims 1 and 2. Furthermore, CHENG teaches of a system comprising a memory and a processor, para. 0384. 

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over CHENG-HAMEL in view of SLUPESKY (US-20180330368-A1).
Regarding claim 7 and 16, CHENG-HAMEL teaches all limitations of claim 1. However, CHENG does not teach “further comprising: receiving a message from the client by the server, the message identifying a user at the client; registering the user with the third-party service; receiving the access token by the server from the third-party service in response to registering the user with the third-party service; and transmitting the access token to the client by the server.”.
In analogous teaching SLUPESKY teaches “receiving a message from the client by the server, the message identifying a user at the client;” ([SLUPESKY, para. 0038] “In response to receiving the alternate address (or otherwise discerning the alternate address), the user device 14 requests registration (at S2) from the resource client device 12 by sending a registration request message that includes (explicitly or implicitly) the alternate address.”) … ([SLUPESKY, para. 0034] “The alternate address is an address or identifier that may be used to communicate with the user 16 via the alternate communication channel 24. For example, the alternate address may be the user's phone number, email address, or URI.”) registering the user with the third-party service; ([SLUPESKY, para. 0032] “FIG. 2 illustrates an example of a registration method 50 of registering the resource client device 12 and/or the user device 14 with the resource server 10. The registration method 50 includes verifying communication with the user 16 and supplying an access token from the resource server 10 to the resource client device 12. In the registration method 50, the resource server 10, the resource client device 12, the user device 14, and the user 16 are situated in the computing context illustrated in FIG. 1.”) receiving the access token by the server from the third-party service in response to registering the user with the third-party service; ([SLUPESKY, para. 0068] “Once the passcode that was received from the resource client device 12 is verified and the access token is active (i.e., the access token is sent to the resource client device 12 and/or is acknowledged as received by the resource client device 12),”) and transmitting the access token to the client by the server. ([SLUPESKY, para. 0069] “In response to receiving the access token from the resource server 10, the resource client device 12 may send (at S9) a user access token (user-token) or another form of a registration/verification success message to the user device 14. The optional user access token is an authentication key to be used by the user device 14 to submit messages to the resource client device 12.”) … ([SLUPESKY, para. 0072] “The user device 14 may receive the user access token from the resource client device 12 and store the user access token for use in future messages to the resource client device 12.”).
 Thus, given the teaching of SLUPESKY, it would have been obvious to one of ordinary skill
in the art before the effective filling date of the claimed invention to combine the teaching of registering users through the use of access tokens as taught by SLUPESKY into the teaching of a method for performing non-custodial authentication for a client as taught by CHENG-HAMEL. One of ordinary skill in the art would have been motivated to do so because SLUPESKY recognizes the benefits of authenticating users through the user of access tokens ([SLUPESKY, para. 0016] “By authenticating the resource client devices (local devices) according to the present disclosure, the resource server (remote server) and/or the resource client devices may operate and/or communicate in a potentially untrusted (e.g., uncontrolled) environment (e.g., through the Internet) and/or with potentially untrusted devices (e.g., uncontrolled user devices such as smart phones).”)

Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over CHENG-HAMEL, in view of KOSKIMIES (US-20130074158-A1), and further in view of CARNCROSS (US-20160323244-A1).
Regarding claims 9 and 18, CHENG teaches all limitations of claim 1. CHENG further teaches “wherein the client includes a network browser ……” ([CHENG, Para. 0395] “Network interfaces 3210 may accept, communicate, and/or connect to a communications network 3213. Through a communications network 3213, the SFTSP controller is accessible through remote clients 3233 b (e.g., computers with web browsers) by users 3233 a.”) …... the private key generated by code ([CHENG, Para. 0159] “A RSA key pair may be generated at 607. In one embodiment, a RSA key pair (e.g., a RSA public key and a corresponding RSA private key) may be predefined (e.g., for a HSM). In one implementation, the RSA public key may be determined using a PKCS#11 function (e.g., C_FindObjectsInit( . . . )). In another implementation, the RSA public key may be determined via an internal call on a HSM environment setting configured externally at HSM deployment time. In an alternative implementation, the RSA public key may be determined via a MySQL database command (e.g., retrieved from a MySQL database in tamper-proof storage). In another embodiment, a RSA key pair may be generated dynamically (e.g., each time transaction signing is executed).”).
However, CHENG does not teach “wherein the DIDT is generated by code”.
In an analogous teaching, HAMEL teaches “wherein the DIDT is generated by code”.  ([HAMEL, para. 0117] “A system for credential storing and verifying using a distributed ledger is disclosed. The system includes an interface and a processor. The interface is configured to receive an indication to register a credential. The processor is configured to indicate to store in a distributed ledger a decentralized identifier (DID) document associated with a holder identifier using a smart contract,”) … ([HAMEL, para. 0223] “In 8D06, user is registered with distributed ledger. For example, a DID keypair that is associated with the user is generated on the mobile device and sent to the DCIAMS to be registered as a DID document with the distributed ledger.”) … ([HAMEL, para. 0235] “Credential issuing application 9C18 comprises an application for issuing a digital credential for proving a qualification in response to a request from a credential issuing authority to issue the credential. Applications 9C06 additionally comprises any other appropriate applications.”).
The same motivation to modify CHENG with HAMEL as in the rejection of claim 1, applies.
CHENG-HAMEL does not teach “the network browser providing an iframe, …… wherein the DIDT is generated by code executing within the iframe of the network browser.”
However CHENG in view of HAMEL and KOSKIMIES teaches “the network browser providing an iframe ([KOSKIMIES, para. 0070] “The third party domain instead opens a page from the data store domain in an (invisible) iframe and gets a domain-specific authentication token from the iframe using the browser's postMessage API.”) ….. wherein the DIDT [in the same manner as above, HAMEL teaches a DID token] token is generated by code executing within the iframe of the network browser ([KOSKIMIES, para. 0070] “The iframe can access the cookie that stores the user authentication token and use that to generate a domain specific authentication token.”).
The same motivation to modify CHENG with HAMEL as in the rejection of claim 1, applies.
Thus, given the teaching of KOSKIMIES, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of network browser using iframe as taught by KOSKIMIES into the teaching of a method for performing non-custodial authentication for a client using DIDT as taught by CHENG-HAMEL. One of ordinary skill in the art would have been motivated to do so because KOSKIMIES recognizes the need to provide web applications with improved security. ([KOSKIMIES, para. 0002] “Therefore, there is a need for an approach for providing a flexible and convenient data application interface for mobile web applications with improved security.”) ([KOSKIMIES, para. 0036] “The system 100 provides security that is effective in both online and offline modes. The system 100 also provides security without the need for application developers to create server-side code for request signing.”).
However, CHENG-HAMEL-KOSKIMIES do not specifically disclose the “private key generated by code within the iframe”.
In analogous teaching CARNCROSS teaches the private key generated through iframe. “private key generated by code within the iframe” ([CARNCROSS, para. 0111] “In examples where a server provides the RSA private key, the server may do this by generating a web page representing the IFrame contents and containing the RSA public key”).
Thus, given the teaching of CARNCROSS, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of private key generated through the use of iframe as taught by CARNCROSS into the teaching of a method for performing non-custodial authentication for a client using DIDT as taught by CHENG-HAMEL. One of ordinary skill in the art would have been motivated to do so because CARNCROSS recognizes the benefits of providing a secure computing environment. ([CARNCROSS, para. 0058] “In broad terms, the approach of the present invention is to provide a safe computing environment on a computing device. Event reporting software can then be executed in this safe computing space to provide assurance that reports from the reporting software have not been interfered with.”).

Claims 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over CHENG-HAMEL in view of KRSTIC (US-20200213323-A1) based on its priority date  of 9/30/2015, and further in view of SOLIN (US-20130311773-A1).
Regarding claim 10 and 19, CHENG-HAMEL teaches all limitations of claim 8. CHENG further teaches “transmitting …. encrypted key to the remote service” ([CHENG, para. 0106] “The second HSM may encrypt the second master private key share using the public key encryption key (e.g., associated with the first HSM), and may respond to the get master request by returning the encrypted second master private key share to the first HSM. The first HSM may decrypt the second master private key share using the private key decryption key”). However, CHENG-HAMEL does not teach “detecting a lost password event from the client; providing a second access token to the client by the server; accessing scoped credentials based on the access token by the client; transmitting the scoped credentials …… to the remote service; and receiving a decrypted copy of the private key by the client based at least in part on the scoped credentials. 
In analogous teaching, KRSTIC teaches “detecting a lost password event from the client;” ([KRSTIC, para. 0049] “The fourth stage 208 shows a settings page 228 that has a control 230 for resetting the password associated with an account accessed by the device. The fourth stage shows the user selecting this password reset option 230.”) providing a second access token to the client by the server; accessing scoped credentials based on the access token by the client; ([KRSTIC, para. 0013] “In some embodiments, the server set includes different subsets of servers that provide service access tokens, ARPs, and ACPs.” ) ([KRISTIC, para. 0070] “After the server set has received the password-change request from the process 400, the server set processes this request (e.g., authenticates this request, invalidates any ARP if necessary, generates a new service token, etc.)”) ([KRSTIC, para. 0044] “the process 100 provides (at 125) the device with a service access token and an ARP, and then ends. In some embodiments, the device then encrypts the ARP by using its passcode and stores the encrypted ARP (e.g., locally on the device). Subsequently, the device can use the ARP to change at least a portion of the account credential set (e.g., to change the account password) without providing the complete account credential set”) 
Thus, given the teaching of KRSTIC, it would have been obvious to one of ordinary skill
in the art before the effective filling date of the claimed invention to combine the teaching of detecting a lost password event as taught by KRSTIC into the teaching of a method for performing non-custodial authentication for a client as taught by CHENG-HAMEL. One of ordinary skill in the art would have been motivated to do so because KRSTIC recognizes the benefit of providing a way to reset a password through the use of access tokens. ([KRSTIC, para. 0044] “When the process determines (at 120) that the device has the needed passcode, the process 100 provides (at 125) the device with a service access token and an ARP, and then ends.”) ([KRSTIC, para. 0045] “This is highly beneficial when the user does not remember the account password and needs to change it. The ARP allows the user to do this by simply providing the passcode for the device.”)
However, CHENG-HAMEL-KRSTIC does not teach “transmitting the scoped credentials …. to the remote service; and receiving a decrypted copy of the private key by the client based at least in part on the scoped credentials.”.
In analogous teaching SOLIN teaches “transmitting the scoped credentials ([SOLIN, Para. 0058] “the credential server 110 receives a credential to be stored in the credential database 114. In block 520, the credential server 110 receives the public key of the user. In one embodiment, the public key may be obtained from within the credential store. In other embodiments, the public key is obtained from an external directory. In block 530, the new (or updated) credential is encrypted using the user's public key. Finally, in block 540, the encrypted credential is stored in the credential database 114.”) and receiving a decrypted copy of the private key by the client based at least in part on the scoped credentials.” ([SOLIN, Para. 0059] “FIG. 6 illustrates a technique for retrieving a credential from the credential store 100 according to one embodiment. In block 600, the credential server 110 authenticates a user requesting a credential session from the client 140. In block 610, the credential requested (assuming it exists) is retrieved from the credential database 114. Then in block 640, the credential is sent to the requesting user. Blocks 620 and 630, enclosed in dashed lines, indicated a further embodiment in which the private key store 112 may provide the user's private key, based on the authentication information received from the user in block 600. In this embodiment, in block 620, the credential server 110 may retrieve the private key, which is decrypted in block 630 before sending it in block 640. As indicated above, the act of sending the credential in block 640 may be to send it to the requesting user”).
Thus, given the teaching of SOLIN, it would have been obvious to one of ordinary skill
in the art before the effective filling date of the claimed invention to combine the teaching of transmitting credentials and sending a private key to the user as taught by SOLIN into the teaching of a method for performing non-custodial authentication for a client as taught by CHENG-HAMEL. One of ordinary skill in the art would have been motivated to do so because SOLIN recognizes the benefits of providing secure credentials to access computer systems. ([SOLIN, para. 0016] “embodiments disclosed herein provide a secure credential store that can be used for on-demand and scheduled retrieval of credentials that may be used to access computer systems … Although the description of embodiments herein is written in the context of a credential store that stores login credentials for computer systems, the present invention is not so limited, but may be employed to provide secure access to information of any kind.”) ([SOLIN, para. 0019] “The embodiments disclosed herein are resistant to attack because unlike many computer systems, no single user is required to have access to all of the credentials stored in the system, thus eliminating a single attack point”)

The prior art made of record and not relied upon is considered pertinent to applicant’s
disclosure.
WEIMER (US-10454683-B2) discloses a computer implemented system and method for user authentication based on blockchain technology. The method also comprises determining a root system for the user using a blockchain and determining a root system secret to obtain identification data using the secret. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434   

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434