DETAILED ACTION
	- Claims 1-3, 5-12 and 14-17 are allowed.
	- Claims 4 and 13 are cancelled.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
 	The following is an Examiner's statement of reasons for allowance:
- Following a telephonic interview held on 5/26/2022, Applicant’s representative Mr. Pehr Janssen authorized the Examiner’s amendment presented below to correct 112(b) issues (see the Examiner’s amendment below).
- In view of Applicant’s claim amendments and Remarks filed on 5/4/2022, Applicant’s arguments were found to be persuasive. In particular, the arguments presented on pages 3, 6 and the first 3 paragraphs of page 7 are persuasive.
- In view of Applicant’s filed amendments and Remarks and further in view of the Examiner’s amendment below, the closest identified prior art of record including Gennaro, Hamel, Roche, Haeger and Khot, alone or in combination, do not teach or suggest the features of independent claims 1, 9 and 10 as amended. 

In view of the above, independent claims 1, 9 and 10 are deemed allowable. Claims 2-3, 5-8, 11-12 and 14-20 depend on one of claims 1 and 10, and are therefore allowable by virtue of their dependency.
In most cases, the examiner's actions and the applicant's replies make evident the reasons for allowance, satisfying the "record as a whole" proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner's actions clearly point out the reasons for rejection and the applicant's reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary. Conversely, where the record is not explicit as to reasons, but allowance is in order, then a logical extension of 37 CFR 1.111 and 1.133 would dictate that the examiner should make reasons of record and such reasons should be specific.
 	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Examiner’s Amendment
 	The Examiner’s amendment presented below was authorized by Mr. Pehr Jansson during a telephonic interview held on 5/26/2022.
Please amend the claims as follows:

(Currently Amended) A method of securely using, by a second tenant, a first tenant secret key stored under an encrypted form in a first token of a first tenant identified by a first tenant identifier and having said first tenant secret key, 
wherein: each tenant is identified by a tenant identifier, wherein 
each tenant identifier comprises a first value and, when said tenant is allowed to use a secret key of a parent tenant identified by a parent tenant identifier, said parent tenant identifier, appended before said first value, 
and said first token has been generated from said first tenant identifier and the first tenant secret key encrypted with said first tenant identifier and with a first tenant customer master key, said first tenant customer master key having been derived from said first tenant identifier and a secure domain master key, 
said method comprising the following steps performed by a secure device: 
storing said secure domain master key [[only]], wherein the domain master key is stored only on said secure device, and
said secure device, on request of a second tenant identified by a second tenant identifier: 
retrieving [[a]] the first tenant identifier and [[an]] the encrypted first tenant secret key of said first tenant from said first token, 
checking if the first tenant identifier is a prefix of or is equal to said second tenant identifier, 
when said first tenant identifier is a prefix of or is equal to said second tenant identifier, recovering from said first token said first tenant secret key stored in said first token by:
deriving the first tenant customer master key from the first tenant identifier retrieved from said first token and from said secure domain master key, and
obtaining said first tenant secret key by decrypting said encrypted first tenant secret key with said derived first tenant customer master key thereby recovering the first tenant secret key, and 
using the first tenant secret key for the second tenant to perform a cryptographic operation on behalf of the second tenant. 
(Previously Presented) The method of the claim 1, wherein said first values are generated at random. 
(Previously Presented) The method of claim 1, comprising, prior to said checking, an authentication by the secure device of said second tenant  requesting the use of said first tenant secret key. 
(Canceled) 
(Previously Presented) The method of the claim 1, wherein said request of the second tenant is using said first tenant secret key of said first tenant to perform a decryption of a secret of said first tenant, encrypted with said first tenant secret key, and using the first tenant secret key to perform a cryptographic operation on behalf of the second tenant comprises: 
decrypting said secret with said first tenant secret key, 
sending said decrypted secret to said second tenant. 
(Currently Amended) The method of the claim 1, wherein said request of the second tenant is using said first tenant secret key of said first tenant to perform a transciphering of a secret of said first tenant encrypted with said first tenant secret key, and using the first tenant secret key to perform a cryptographic operation on behalf of the second tenant comprises: 
obtaining a second token generated for the second tenant from said second tenant identifier and from a second tenant secret key encrypted with said second tenant identifier and with a second tenant customer master key, said second tenant customer master key having been derived from said second tenant identifier and a secure domain master key, 
decrypting said encrypted secret with said first tenant secret key, 
recovering [[a]] the second tenant customer master key of said second tenant from said second tenant identifier stored in the second token 
obtaining said second tenant secret key of the second tenant by decrypting with the recovered second tenant customer master key said encrypted second tenant secret key of said second tenant stored in the second token, 
encrypting said decrypted secret with said second tenant secret key of said second tenant, 
sending said secret encrypted with said second tenant secret key to said second tenant. 
(Previously Presented) The method of the claim 5, wherein said secret is a shared secret key of the first tenant. 
(Previously Presented) The method of the claim 4, wherein the second tenant has a secret and wherein using said first tenant secret key of said first tenant is performed for said second tenant requesting an encryption of said secret with said first tenant secret key, and comprises: 
encrypting said secret of the second tenant with said first tenant secret key, 
sending said encrypted secret of the second tenant to said second tenant. 
(Currently Amended) A nontransitory computer readable memory comprising a computer program product directly loadable into the nontransitory computer readable memory of a secure device, comprising software code instructions for performing when said computer program product is run on the secure device, a method of securely using, by a second tenant, a first tenant secret key stored under an encrypted form in a first token of a first tenant identified by a first tenant identifier and having said first tenant secret key, 
wherein: each tenant is identified by a tenant identifier, wherein 
each tenant identifier comprises a first value and, when said tenant is allowed to use a secret key of a parent tenant identified by a parent tenant identifier, said parent tenant identifier, appended before said first value, 
and said first token has been generated from said first tenant identifier and the first tenant secret key encrypted with said first tenant identifier and with a first tenant customer master key, said first tenant customer master key having been derived from said first tenant identifier and a secure domain master key, 
said method including the following steps: 
storing said secure domain master key only on said secure device, and
said secure device, on request of a second tenant identified by a second tenant identifier: 
retrieving the first tenant identifier of said first tenant from said first token, 
checking if the first tenant identifier is a prefix of or is equal to said second tenant identifier, 
when said first tenant identifier is a prefix of or is equal to said second tenant identifier, recovering from said first token said first tenant secret key stored in said first token by:
deriving the first tenant customer master key from the first tenant identifier retrieved from said first token and from said secure domain master key, and
obtaining said first tenant secret key by decrypting said encrypted first tenant secret key with said derived first tenant customer master key thereby recovering the first tenant secret key, and 
using the first tenant secret key for the second tenant to perform a cryptographic operation on behalf of the second tenant. 
(Currently Amended) A secure device comprising a processor, a memory and an interface configured to perform a method of securely using, by a second tenant, a first tenant secret key stored under an encrypted form in a first token of a first tenant identified by a first tenant identifier and having said first tenant secret key, 
wherein: each tenant is identified by a tenant identifier, wherein 
each tenant identifier comprises a first value and, when said tenant is allowed to use a secret key of a parent tenant identified by a parent tenant identifier, said parent tenant identifier, appended before said first value, 
and said first token has been generated from said first tenant identifier and the first tenant secret key encrypted with said first tenant identifier and with a first tenant customer master key, said first tenant customer master key having been derived from said first tenant identifier and a secure domain master key, 
said method including the following steps: 
storing said secure domain master key only on said secure device, and
said secure device, on request of a second tenant identified by a second tenant identifier: 
retrieving the first tenant identifier of said first tenant from said first token, 
checking if the first tenant identifier is a prefix of or is equal to said second tenant identifier, 
when said first tenant identifier is a prefix of or is equal to said second tenant identifier, recovering from said first token said first tenant secret key stored in said first token by:
deriving the first tenant customer master key from the first tenant identifier retrieved from said first token and from said secure domain master key, and
obtaining said first tenant secret key by decrypting said encrypted first tenant secret key with said derived first tenant customer master key thereby recovering the first tenant secret key, and 
using the first tenant secret key for the second tenant to perform a cryptographic operation on behalf of the second tenant.
(Previously Presented) The secure device of claim 10, wherein said first values are generated at random. 
(Currently Amended) The secure device of claim 10, configured to, prior to said checking, authenticate said second tenant requesting the use of said first tenant secret key. 
(Canceled) 
(Previously Presented) The secure device of claim 10, wherein said request of the second tenant is using said first tenant secret key of said first tenant to perform a decryption of a secret of said first tenant, encrypted with said first tenant secret key, and using the first tenant secret key to perform a cryptographic operation on behalf of the second tenant comprises: 
decrypting said secret with said first tenant secret key, 
sending said decrypted secret to said second tenant. 
(Currently Amended) The secure device of claim 10, wherein said request of the second tenant is using said first tenant secret key of said first tenant to perform a transciphering of a secret of said first tenant encrypted with said first tenant secret key, and using the first tenant secret key to perform a cryptographic operation on behalf of the second tenant comprises: 
obtaining a second token generated for the second tenant from said second tenant identifier and from a second tenant secret key encrypted with said second tenant identifier and with a second tenant customer master key, said second tenant customer master key having been derived from said second tenant identifier and a secure domain master key, 
decrypting said encrypted secret with said first tenant secret key, 
recovering [[a]] the second tenant customer master key of said second tenant from said second tenant identifier stored in the second token 
obtaining said second tenant secret key of the second tenant by decrypting with the recovered second tenant customer master key said encrypted second tenant secret key of said second tenant stored in the second token, 
encrypting said decrypted secret with said second tenant secret key of said second tenant, 
sending said secret encrypted with said second tenant secret key to said second tenant. 
(Previously Presented) The secure device of claim 14, wherein said secret is a shared secret key of the first tenant. 
(Previously Presented) The secure device of claim 14, wherein the second tenant has a secret and wherein using said first tenant secret key of said first tenant is performed for said second tenant requesting an encryption of said secret with said first tenant secret key, and comprises: 
encrypting said secret of the second tenant with said first tenant secret key, 
sending said encrypted secret of the second tenant to said second tenant. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285.  The examiner can normally be reached on Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434