Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to amendment
	Applicant has amended independent claims 1 & 13 and dependent claims 2-4, 10, 12, 17 & 19.  The amendment of claims 2-4 & 10 has been reviewed and found to have overcome 112b  rejections issued for these claims and 112b rejections for these claims has been withdrawn..
Reponses to Arguments
	As stated above the Applicant amended independent claims 1 & 13 and argued in the Remarks filed on 3/28/2022 that cited arts Herberg and Verma do not teach:
	1.”validating the authentication data and security information included in the machine readable optical label at the mobile device”.;
2. “the certificate request digitally signed using the authentication data and the security information”.
The Examiner respectfully disagree as:
1. Herberg and Verma teach the authentication data and security information included in the machine readable optical label at the mobile device as illustrated below in the office action and the argument that Herzberg and Verma do not teach “validating the authentication data and security information” has been reviewed and found to be moot as the Examiner bring in a new reference.
2. The Examiner also respectfully disagrees with the second argument as Herberg teaches “the certificate request digitally signed using the authentication data and the security information” in paragraph 0056. [para 0056: In the above embodiments, the enrollment is performed using the customer device key pair and the CSR being communicated to the CA server 120. In some embodiments, the verification may be performed at the CA server 120 to confirm that the customer device 104 possesses the customer device private key. For example, in these and other embodiments may implement a challenge/response system such as a challenge-response authentication mechanism (CRAM). Additionally or alternatively, the CRS may be signed by the customer device private key. The CA server 120 may verify the signature by using the customer device public key, which may be included as part of the CSR. It is obvious to a ordinary skilled person in the art that teaching of Herberg for signing a CSR with private key can be easily applied for teaching of the limitation “the certificate request digitally signed using the authentication data and the security information”, as both private key and the authentication data and security information are both expressed in bits (zeros and one) in a computer system and signing algorithm takes bits as input and process the bits inputs to generate the signature.
The Applicant has recorded no other additional arguments in the remarks.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-2, 5-6,13-15 & 20-21 are rejected under 35 USC 103 as being unpatentable over Herberg (US20150319142 as mentioned in IDS dated 5/29/2020) in view of Verma (US 201503043909)  and Kulpati (US 20100312703))
Regarding claim 1, Herberg teaches a method for registering a mobile device, the method comprising: receiving at the mobile device a machine readable optical label, [[0043] The QR code (machine readable optical label) may be communicated to the customer 102 and/or the customer device 104. The QR code may be communicated via an OOB network. For example, the QR code may be included in a MMS message communicated to the customer device 104. Additionally, the QR code may be mailed to the customer 102. Additionally still, the QR code may be included in an email message sent to the customer 102.] 
Including authentication data and security information; [0041] The QR code may include a uniform resource locator (URL), the temporary identifier, the provider CRT, the provider public key (which may be included in the provider CRT), the OTP, and CSR content. One or more of the URL, the temporary identifier, the provider CRT, the provider public key, the OTP, and the CSR content in the QR code may be encrypted using the device ID 126. The CSR content may include information uses in a CSR. For example, the CSR content may include a distinguished name (DN), an organization name, a geographical location, an email address, and the like.] 
scanning the machine readable optical label to read the authentication data and the security information; [0044] The customer device 104 and/or the customer 102 may receive the QR code via the OOB network or via the network 122. In some embodiments in which the QR code is received via the OOB network (e.g., the mail), the customer 102 may use a scanner 130 of the customer device 104 or another system to scan the QR code. The scanner 130 may include a two-dimensional imaging scanner, a camera included in the customer device 104, or any other suitable scanner. The customer device 104 may accordingly receive a read image of the QR code, which may enable the customer enrollment module 106 to extract the information included in the QR code (which has both authentication and security information as illustrated above also in para 0041 of instant prior art.)]
generating at the mobile device a certificate request, the certificate request digitally signed using the authentication data and the security information; [0048] The customer enrollment module 106 may then communicate a confirmation message to the provider enrollment module 112 via the network 122. The confirmation message may use TLS encryption without client authentication in some embodiments. The confirmation message may include the decrypted OTP, the generated customer device public key, and the customer device CSR. In some embodiments, the confirmation message may include the decrypted OTP and the generated customer device public key. [0056] In the above embodiments, the enrollment is performed using the customer device key pair and the CSR being communicated to the CA server 120. In some embodiments, the verification may be performed at the CA server 120 to confirm that the customer device 104 possesses the customer device private key. For example, in these and other embodiments may implement a challenge/response system such as a challenge-response authentication mechanism (CRAM). Additionally or alternatively, the CRS may be signed by the customer device private key. The CA server 120 may verify the signature by using the customer device public key, which may be included as part of the CSR. It is obvious to a ordinary skilled person in the art that teaching of Herberg for signing a CSR with private key can be easily applied for teaching of the limitation “the certificate request digitally signed using the authentication data and the security information”, as both private key and the authentication data and security information are both expressed in bits (zeros and one) and signing algorithm takes bits as input and process the bits inputs to generate the signature.]
and transmitting the certificate signing request to a registration authority. [0051] In embodiments in which the confirmation message includes the customer device CSR, the provider enrollment module 112 may be configured to communicate the customer device CSR to the CA server 120. The CA 118 may sign the customer device CSR and transmit a customer device CRT to the provider enrollment module 112. The provider enrollment module 112 may communicate the customer device CRT to the customer device 104.]
Although Herberg teaches optical label, he does not teach explicitly, however, Verma teaches validating the machine readable optical label at the mobile device; [0028] At step 310, the CA receives a certificate signing request (CSR) which stores a public key to be named in the certificate requested at step 305. In one embodiment, the CA receives the CSR from a mobile application, which itself, recovered the CSR from one or more QR codes displayed on the monitor of the server which generated the public key. The CA then correlates the CSR received at step 310 with the certificate enrollment data received at step 305. At step, 315, the CA generates the requested certificate.]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg with the disclosure of Verma. The motivation or suggestion would have been to implement a system that will provide efficient techniques for use of machine readable optical data enrolling a mobile device. (abstract, paras 0002-0008, Verma)  
Although Herberg and Verma teach machine readable authentication data and security information optical data as illustrated above, they do not teach expclitly, however, Kulpati teaches  the validating the authentication data and security information, [0034] In some embodiments, ….he consumer. The registration process may include an authentication process wherein the consumer is requested to provide information that confirms their identity or proves that they are authorized to conduct payment transactions using the payment account. Such information may take the form of a passcode, password, security data, or other form of authentication or identification data that was previously provided to an authentication service. ….. For example, a consumer seeking to register their mobile payment device may be asked to submit their mobile phone number or other form of mobile payment device identifier, and the account number for the payment account that they wish to have associated with the mobile identifier. An authentication service may then request that the consumer submit a form of authentication data to confirm their identity (e.g., a password, etc.), where the authentication data was previously submitted and associated with the consumer. If the authentication data submitted by the consumer is verified as being correct (i.e., it is the data previously submitted and associated with the consumer or the consumer's payment account), then the mobile device identifier is associated with the consumer's payment account. As will be described, in some embodiments of the invention, this may enable the consumer to perform payment transactions using the mobile device without the need to submit any further authentication or identification data.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma with the disclosure of Kulpati. The motivation or suggestion would have been to implement a system that will provide improved techniques to prevent fraud,  hacking, misrepresentations, or repudiation.. (para 0005, Kulpati)  
Regarding claims 2 & 14, although Herberg and Kulpati  teach certificate request, he does not teach explicitly, however, Verma teaches the method further comprising . [0028] At step 310, the CA receives a certificate signing request (CSR) which stores a public key to be named in the certificate requested at step 305. In one embodiment, the CA receives the CSR from a mobile application, which itself, recovered the CSR from one or more QR codes displayed on the monitor of the server which generated the public key. The CA then correlates the CSR received at step 310 with the certificate enrollment data received at step 305. At step, 315, the CA generates the requested certificate. Typically, the CA digitally signs the public key in the CSR using the private key of the CA. Relying parties can then verify the information in the certificate, by verifying the signature of the CA listed in the certificate.]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Kulpati with the disclosure of Verma. The motivation or suggestion would have been to implement a system that will provide efficient techniques for use of machine readable optical data enrolling a mobile device. (abstract, paras 0002-0008, Verma)  
Regarding claims 5 & 15, Herberg teaches wherein the machine readable optical label is a QR code. [[0043] The QR code (machine readable optical label) may be communicated to the customer 102 and/or the customer device 104. The QR code may be communicated via an OOB network. For example, the QR code may be included in a MMS message communicated to the customer device 104. Additionally, the QR code may be mailed to the customer 102. Additionally still, the QR code may be included in an email message sent to the customer 102.] 
Regarding claim 6, Herberg teaches wherein the authentication data comprises an identifier. [0037] Generally, the device ID 126 may include a device-specific number of the customer device 104. An example of the device ID 126 may include the Unique Device ID (UDID) used in APPLE.RTM. products that is a 40-digit alphanumeric sequence. [0038] In response to the enrollment message, the provider enrollment module 112 may generate a mapping. The mapping generally links or maps the customer device 104 to the set of information identifying the customer device 104 and/or the customer 102 from which the enrollment message is communicated. The mapping may include an OTP, a customer identifier, and a temporary identifier. 
Regarding claim 13, the claim is interpreted to be similar to claim 1 and rejected for the same reasons a set forth for claim 1.
Regarding claims 20-21, Herberg  teaches wherein the authentication data includes a onetime enrollment code (OTEC) value, wherein the certificate request is digitally signed using the OTEC value as an input to a signing process. [0050] In some embodiments (of Enrollment), the OTP (one time passcode/one time enrolment code) may be rate-limited. For example, the OTP may be rate-limited per internet protocol (IP) address (e.g., the IP address of the customer device 104) and/or may be rate-limited per temporary identifier. For example, the OTP may be rate-limited to five attempts per IP address. By rate-limiting the OTP, the provider server 110 may fend off or avoid brute-force attacks. [0056] In the above embodiments, the enrollment is performed using the customer device key pair and the CSR being communicated to the CA server 120. In some embodiments, the verification may be performed at the CA server 120 to confirm that the customer device 104 possesses the customer device private key. For example, in these and other embodiments may implement a challenge/response system such as a challenge-response authentication mechanism (CRAM). Additionally or alternatively, the CRS may be signed by the customer device private key. The CA server 120 may verify the signature by using the customer device public key, which may be included as part of the CSR.. It is obvious to a ordinary skilled person in the art that Herberg teaches OTP (one time enrollment code) and  it is further obvious that the teaching of Herberg for signing a CSR with private key can be easily applied for teaching of the limitation “the certificate request digitally signed using the OTEC, as both private key and the OTEC are both expressed in bits (zeros and one) and signing algorithm takes bits as input and process the bits inputs to generate the signature.]

Claims 3, 7, 11-12 & 18-19 are rejected under 35 USC 103 as being unpatentable over Herberg in view of Verma, Kulpati and Khan (US20180247298)
Regarding claim 3, although Herberg, Verma and Kulpati  teach optical label, they don’t teach expclitly, however, Khan teaches validating, at the mobile device, using a checksum.   [0069] At step 200, ……server 104B. In one embodiment, the merchant backend server 104B gets the QR code (or the information encoded by the QR code) from the mobile backend server 104A. In one embodiment, the QR code can contain additional information, such as a security checksum, that is used to authenticate the information encoded within the QR code, to verify that the address within the QR code is authentic, i.e., that the user 106 is not being directed to a malicious server.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma and Kulpati with the disclosure of Khan. The motivation or suggestion would have been to implement a system that will provide efficient techniques for encoding and decoding optial data such QR codes.( paras 0007-0008, Khan) 
Regarding claim 7, although Herberg, Verma and Kulpati  teach authentication data, they do not teach explicitly, howvwer, Khan teaches  wherein the authentication data comprises a corresponding checksum. [0069] At step 200, ……server 104B. In one embodiment, the merchant backend server 104B gets the QR code (or the information encoded by the QR code) from the mobile backend server 104A. In one embodiment, the QR code can contain additional information, such as a security checksum, that is used to authenticate the information encoded within the QR code, to verify that the address within the QR code is authentic, i.e., that the user 106 is not being directed to a malicious server.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma and Kulpati with the disclosure of Khan. The motivation or suggestion would have been to implement a system that will provide efficient techniques for encoding and decoding optial data such QR codes.( paras 0007-0008, Khan) 
Regarding claims 11 & 18, although Herberg, Verma and Kulpati  teach security information, they do not teach explicitly, however, Khan teaches wherein the security information comprises biometric data.  [0054] In one embodiment, backend server 104A is configured to authenticate the user before completing the transaction. This authentication may be done with the help of mobile device 112 and/or point of interaction 110, e.g., by requiring the entry of a password, passcode, or passphrase, by fingerprint sensor or other biometric information, etc. ]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma and Kulpati with the disclosure of Khan. The motivation or suggestion would have been to implement a system that will provide efficient techniques for encoding and decoding optial data such QR codes.( paras 0007-0008, Khan) 
Regarding claims 12 & 19, although Herberg, Verm and Kulpati a teach the machine readable optical label , they do not teach explicitly, however, Khan teaches whereinf validating the machine readable optical label at the mobile device comprises: retrieving, at the mobile device, user biometric data relating to the user; and validating, at the mobile device, that the user biometric data matches the biometric data from the security information.  [0057] In one embodiment, .. a personal computer, etc. In one embodiment, the user may be asked to enter additional information to authorize the card data. Examples of authentication information include, but are not limited to, the CVV or CVC number commonly printed on the back of many credit or debit cards, user ID, password, passcode, or personal information number (PIN), fingerprint or other biometric information, and so on. This additional authentication information may or may not be stored within database 102, according to the rules and regulations as well as need for a particular kind of information. It is obvious to a skilled person in theart that the biometric data may matched with biometric data ( security data) stored in the database tor validating the user/customer]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma and Kulpati with the disclosure of Khan. The motivation or suggestion would have been to implement a system that will provide efficient techniques for encoding and decoding optial data such QR codes.( paras 0007-0008, Khan) 

Claims 4, 8-10,& 16-17 are rejected under 35 USC 103 as being unpatentable over Herberg in view of Verma, Kulpati  and Jamkhedkar (US20190205865)
Regarding claim 4, although Herberg, Verma and Kulpati teach the machine readable optical label, they do not teach explicitly, however, Jamkhedkar teaches  wherein the step of validating the machine readable optical label comprises validating, st the mobilr deice,  using an expiration time. [0031] Various features ..data transfers. In some embodiments, the QR codes of the present disclosure may be provided with an expiration date. For example, a first entity (and/or the support server 120) may impose an expiration date on a QR code such that the QR code is ineffective after a certain period of time. For static QR codes, the expiration date may be days, weeks, months, or years. For dynamic QR codes, the expiration date may be minutes or hours. In some embodiments, certain regions or markets may have a shorter or longer expiration duration based on the security of the region or market. For example, in regions or countries of high crime, the expiration date may be shorter as compared to regions or countries with lower crime rates. As another example, for a merchant who works in a market with high incidence of fraud, the expiration date may be shorter. 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma and Kulpati  with the disclosure of Jamkhedkar. The motivation or suggestion would have been to implement a system that will provide efficient techniques for quick response (QR) codes and their uses in a variety of secured data transfers..( abstract, paras 0001-0002, Jamkhedjar) 
Regarding claim 8, although Herberg, Verma and Kulpati  teach authentication information, they do not teach explicitly, however, Jamkhedkar teaches wherein the authentication data comprises an expiration time.  [0031] Various features ..data transfers. In some embodiments, the QR codes of the present disclosure may be provided with an expiration date. For example, a first entity (and/or the support server 120) may impose an expiration date on a QR code such that the QR code is ineffective after a certain period of time. For static QR codes, the expiration date may be days, weeks, months, or years. For dynamic QR codes, the expiration date may be minutes or hours. In some embodiments, certain regions or markets may have a shorter or longer expiration duration based on the security of the region or market. For example, in regions or countries of high crime, the expiration date may be shorter as compared to regions or countries with lower crime rates. As another example, for a merchant who works in a market with high incidence of fraud, the expiration date may be shorter. 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg, Verma and Kulpati with the disclosure of Jamkhedkar. The motivation or suggestion would have been to implement a system that will provide efficient techniques for quick response (QR) codes and their uses in a variety of secured data transfers..( abstract, paras 0001-0002, Jamkhedkar) 
Regarding claims 9 & 16, although Herberg, Verma and Kulpati teach security information, they do not teach explicitly, however, Jamkhedkar teaches wherein the security information comprises location data. [0033] In some embodiments, a QR code identifier may be logically coupled with a location identifier to enhance security of data transfers. For example, for a static QR code, the location may be based on a known location of the first entity and an identifier of the static QR code. As another example, for a dynamic QR code, the location may be based on a location of the device requesting the QR code and/or an expected location of the first entity. If the location identifier does not match with the QR code identifier, the QR code may not be verified. 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma and Kulpati with the disclosure of Jamkhedkar. The motivation or suggestion would have been to implement a system that will provide efficient techniques for quick response (QR) codes and their uses in a variety of secured data transfers..( abstract, paras 0001-0002, Jamkhedkar) 
Regarding claims 10 & 17, although Herberg, Verma and Kulpati teach machine readable optical label, they do not teach explicitly, however, Jamkhedkar teaches wherein validating the machine readable optical label at the mobile device comprises: retrieving, at the mobile device, a current location of the mobile device; and validating, at the mobile device, that the current location is within the location data.  [0033] In some embodiments, a QR code identifier may be logically coupled with a location identifier to enhance security of data transfers. For example, for a static QR code, the location may be based on a known location of the first entity and an identifier of the static QR code. As another example, for a dynamic QR code, the location may be based on a location of the device requesting the QR code and/or an expected location of the first entity. If the location identifier does not match with the QR code identifier, the QR code may not be verified. 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Herberg and Verma and Kulpati with the disclosure of Jamkhedkar. The motivation or suggestion would have been to implement a system that will provide efficient techniques for quick response (QR) codes and their uses in a variety of secured data transfers..( abstract, paras 0001-0002, Jamkhedkar) 
Relevant prior arts shown in pto-892 but not used in the instant office action are as follows:
1 Turner (US8887262) discloses a Quick Recognition (QR) code scanner is activated on a computing device. A user specific QR code is scanned using the QR code scanner. User specific data that is encoded in the QR code is extracted from the scanned QR code. The computing device is configured to access a local area network based on the user specific data extracted from the scanned QR code. The computing device is register, over the local area network, with a server using the user specific data extracted from the scanned QR code. User specific configuration information is received at the computing device from the server. The computing device is configured using the received configuration information.
2. Dong (CN10329534-translated copy attached)  discloses The invention claims a safety certification device and system for POS POS device security authentication method, the device comprises a security authentication information obtaining module for obtaining the security authentication information of the user, authentication information communication module. user security authentication for the information transmitted to the bank server for security authentication, and receives the security authentication data is returned, and a main control module for generating a data processing result based on said safety authentication data, a data passage control module; The data for interaction with the data processing result control POS security authentication device and the external device. The invention realizes the related device and apparatus for satellite positioning information acquisition registration and security identification verification, and POS safe authentication provides a biometric characteristic security authorization verification function, which effectively improves the security of POS security authentication, prevents the client password leakage, realizes the local secure payment client mobile phone.

Conclusion
	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHER A KHAN whose telephone number is (571)272-8574. The examiner can normally be reached M-F 8:00 am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHER A KHAN/           Primary Examiner, Art Unit 2497