DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
2.	Applicant filed amendment on 03/01/2022. Claims 6-9, 15-18, and 20 are pending. Claims 6-9, 15-18, and 20 are amended. Claim 10 is cancelled. Claims 6-9, 15-18, and 20 are rejected. After careful consideration of applicant arguments, the examiner finds them to be not persuasive.
Information Disclosure Statement
3.	The information disclosure statement (IDS) submitted on 01/07/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Rejection under 35 USC § 101
4.	The claims 6-10 rejections under 35 USC § 101 are withdrawn.
Claim Rejections - 35 USC §112
5.	The parts of rejections under 35 USC § 112 are withdrawn.
6.	Applicant argues that the claim language “processing circuitry configured to” is not intended use and should not be interpreted under 35 USC § 112(f). Applicant did not identify what the “particular instructions” were (Remarks, page 9, lines 1-3). With respect to “processing circuitry” is of the opinion that it can be “a CPU is an example of processing circuitry”. 
However, this is not in line with the Applicant’s specification. According to paragraph 126, “The terminal device… may include one or more central processing units (CPU) 30, such as processing circuitry that includes one or more processors…”. In other words, a “processing circuitry” is an example of a CPU. Therefore, as Applicant has not defined what a “processing circuitry”, the Specification fails written description.
Rejections under 35 U.S.C. § 103
7.	Applicant argues that the prior art references Mahaffey et al. (application ‘808) in view of Brinskelle (patent ‘869) and Bailey et al. (application ‘523) do not teach or suggest the amended claim 6. 
	However, applications ‘808 and ‘523, patent ‘869 teach amended limitations of claim 6 in paragraphs 65, 40, 255-257, 266, col.16, lines 38-43; col.11, lines 41-48; and col.42, lines 22-32 respectively. 
Claim Interpretation
Optional and Contingent  Limitations
8.	Optional limitations are generally not given patentable weight. See MPEP 2103(I)(C) (“Language that suggests or makes a feature or step optional but does not require that feature or step does not limit the scope of a claim under the broadest reasonable claim interpretation.”). 
9.	Claim 6 recites “transmitting a device authorization …in response to the determined risk assessment score being greater …”
10.	The underlined limitations represent optional language and are not given patentable weight.
11.	Contingent limitations are generally not given patentable weight. For example, if a claim states that a step occurs if a condition is met, the broadest reasonable interpretation of the claim does not require that the contingent step occurs because the condition may not be satisfied. System claims differ in that even if a condition that is required to perform a function is not met, the structure for performing the contingent limitation is given patentable weight. See MPEP 2111.04(II); see also Ex parte Schulhauser, Appeal 2013-007847 (PTAB April 28, 2016).
12.	Claim 7 recites “transmitting a verification command to the application client when the authorization request includes the user identifier and the device information of the application client”. There is no positively recited limitation that the verification command to be transmitted to the application client “when” the authorization request includes the user identifier and the device information of the application client, this is a contingent limitation. For example, in order that the verification command to be transmitted to the application client, the authorization request should include the user identifier and the device information of the application client which might not happen.
Claim 7 recites “generating a device authorization message according to the device information when the verification information is verified”. There is no positively recited limitation that the device authorization message to be generated “when” the verification information is verified, this is a contingent limitation. For example, in order that the device authorization message to be generated, the verification information should be verified which might not happen.
Nonfunctional Descriptive Material
13.	Nonfunctional descriptive material is generally not given patentable weight. See MPEP 2111.05. Any difference related merely to the meaning and information conveyed through labels (i.e., the type of the item) which does not explicitly alter or impact the steps of the method is nonfunctional descriptive material and does not patentably distinguish the claimed invention from the prior art in terms of patentability.
14.	Claims 6 and 15 recite “…the device authorization message deletion command being a command that instructs the application client to delete the device authorization message stored in the application client”.
Claim Rejections - 35 USC § 112
15.	The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

	The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

16.	Claims 6-9, 15-18, and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Lack of Algorithm
17. 	Claim 6 recites “performing… verification on the device authorization message included in the pull request by determining that correspondences…”
	Claim 15 recites “perform verification on the device authorization message included in the pull request by determining that correspondences …” 
18.	Claim 15 recites “A server…: processing circuitry configured to:…”
	Claim 16-18 recite “The server … the processing circuitry is further configured to:…”
19.	The underlined limitations should have the algorithm or steps/procedure taken to perform the function must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed, (MPEP 2161.01(I)).
New matter
20.	Claim 6 recites “transmitting… the device authorization deletion command being a command that instructs…  ” 
21.	The claims contain subject matter which was not described in the specification (see Fig 6, item 309; paragraphs 57, 84) in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
22.	Claims 7-9 and 20 are rejected under the same rationale as claim 6 because claims 7-9 and 20 inherit the deficiencies of claim 6 due to their dependency.

23.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


	The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


24.	Claims 7-9 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Unclear scope
25.	Claim 7 recites “receiving an authorization…”, “transmitting a verification …”, “receiving verification …”, “performing verification …”, “generating a device authorization …”, “transmitting the generated device …”, and “storing correspondences …”
Claim 8 recites “setting a previously stored … or deleting the previously stored …”
	Claim 9 recites “obtaining, according …”, “performing verification …”, “verifying the device authorization …”, and “determining that the device …”
26.	The claims do not identify what performs mentioned above underlined steps, therefore the claims is not in line with the Specification (paragraphs 69, 83, 84, and 96). It is unclear what performs method steps. MPEP 2173.02 (I-III). 
27.	Claim 20 recites “A non-transitory computer-readable storage medium storing instructions which when executed by processing circuitry cause the processing circuitry to perform the identification code pulling method according to claim 6”.  It is not clear whether claim 20 is an independent claim or dependent claim. MPEP 2173.02 I-III.

Claim Rejections - 35 USC § 103
28.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
29.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

30.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
31.	Claim 6-9 are rejected under 35 U.S.C. 103 as being unpatentable over US20140189808A1 to Mahaffey et al. in view of US20170070523A1 to Bailey et al. and US8856869B1 to Brinskelle.
32.	As per claim 6:
Mahaffey et al. discloses the following limitations:
receiving, from an application client the by processing circuitry, a pull request for an identification code, the pull request including a device authorization message, a user identifier, and device information of the application client [0061], [0062], [0063], [0065], [0080], [0135]
performing, by the processing circuitry, verification on the device authorization message included in the pull request by determining that correspondences between the device authorization message, the device information, and the user identifier are stored in a memory of the application platform [0063], [0093], [0100], [0135] 
obtaining, by the processing circuitry, identification code information corresponding to the identification code according to the pull request [0065], [0100]-[0102]
transmitting, by the processing circuitry, the identification code information to the application client [0065] 
after transmitting the identification code information…[0065]
Mahaffey et al. does not explicitly teach the following limitations:
determining a risk assessment score corresponding to the user identifier of the application client according to a preset period, and determining whether the risk assessment score is greater than a preset value. 
However, Bailey et al., as shown, discloses the following limitations:
determining a risk assessment score corresponding to the user identifier of the application client according to a preset period… [0040], [0255]-[0257]
It would be have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have systems and methods for detecting and scoring anomalies, determining whether the digital interaction is suspicious; in response to determining that the digital interaction is suspicious, deploying a security probe taught by Bailey et al. a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer of Mahaffey et al. with the motivation to enhance a method with a new feature like calculating risk scores using any suitable combination of one or more techniques and if a resulting score is below a selected threshold, the security system may proceed to act to perform standard operation as taught by Bailey et al. over that Mahaffey et al.
However, Brinskelle, as shown, discloses the following limitations:
determining whether the risk assessment score is greater than a preset value (Col.16, lines 38-43; Col.11, lines 41-48; Col.42, lines 22-32)
It would be have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have methods, systems, and apparatus relating to enforcement of same origin policy of sensitive data where a security agent may help ensure release of sensitive data is only triggered by authorized sources taught by Brinskelle a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer of Mahaffey et al. with the motivation to enhance a method with a new feature like the security agent can determine expired cookies that are no longer used and clearing or deleting HTTP cookies to help to protect them as taught by Brinskelle over that Mahaffey et al.
Claim 6 language “transmitting … in response to the determined risk assessment  score being greater…” is the optional language and according to the MPEP (2103 I C) is not sufficient to differentiate the claim from the prior art. 
33.	As per claims 7-9:
As per the optional language in the independent claim 6, the dependent claims 7-9 only recite optional steps and are not sufficient to differentiate the claim from the prior art.

34.	Claim 6-8, 15-17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US20140189808A1 to Mahaffey et al. in view of US20170070523A1 to Bailey et al. and US8856869B1 to Brinskelle.
35.	As per claims 6 and 15:
Mahaffey et al. discloses the following limitations:
receiving, from an application client the by processing circuitry, a pull request for an identification code, the pull request including a device authorization message, a user identifier, and device information of the application client [0061], [0062], [0063], [0065], [0080], [0135]
performing, by the processing circuitry, verification on the device authorization message included in the pull request by determining that correspondences between the device authorization message, the device information, and the user identifier are stored in a memory of the application platform [0063], [0093], [0100], [0135] 
obtaining, by the processing circuitry, identification code information corresponding to the identification code according to the pull request [0065], [0100]-[0102]
transmitting, by the processing circuitry, the identification code information to the application client [0065] 
after transmitting the identification code information [0065] 
Mahaffey et al. does not explicitly teach the following limitations:
determining a risk assessment score corresponding to the user identifier of the application client according to a preset period, and determining whether the risk assessment score is greater than a preset value;
transmitting a device authorization message deletion command to the application client in response to the determined risk assessment score being greater than the preset value, the device authorization message deletion command being a command that instructs the application client to delete the device authorization message stored in the application client.
However, Bailey et al., as shown, discloses the following limitations:
determining a risk assessment score corresponding to the user identifier of the application client according to a preset period… [0040], [0255]-[0257]
transmitting a device authorization message deletion command to the application client … the device authorization message deletion command being a command that instructs the application client to delete the device authorization message stored in the application client [0040], [0255]-[0257], [0266]
It would be have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have systems and methods for detecting and scoring anomalies, determining whether the digital interaction is suspicious; in response to determining that the digital interaction is suspicious, deploying a security probe taught by Bailey et al. a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer of Mahaffey et al. with the motivation to enhance a method with a new feature like calculating risk scores using any suitable combination of one or more techniques and if a resulting score is below a selected threshold, the security system may proceed to act to perform standard operation as taught by Bailey et al. over that Mahaffey et al.
However, Brinskelle, as shown, discloses the following limitations:
determining whether the risk assessment score is greater than a preset value (Col.16, lines 38-43; Col.11, lines 41-48; Col.42, lines 22-32)
in response to the determined risk assessment score being greater than the preset value (Col.16, lines 38-43; Col.11, lines 41-48; Col.42, lines 22-32) 
It would be have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have methods, systems, and apparatus relating to enforcement of same origin policy of sensitive data where a security agent may help ensure release of sensitive data is only triggered by authorized sources taught by Brinskelle a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer of Mahaffey et al. with the motivation to enhance a method with a new feature like the security agent can determine expired cookies that are no longer used and clearing or deleting HTTP cookies to help to protect them as taught by Brinskelle over that Mahaffey et al.
As per claim 15 Mahaffey et al. additionally discloses the following limitations:
processing circuitry (Fig.1, item 101; [0041], [0042], [0047] )
36.	As per claims 7 and 16:
Mahaffey et al. discloses the following limitations:
receiving an authorization request for the device authorization message from the application client [0047], [0061], [0064]
transmitting a verification command to the application client when the authorization request includes the user identifier and the device information of the application client (Fig. 2A, item “press button”; [0047], [0088])
receiving verification information that is transmitted by the application client, according to the verification command [0043], [0044], [0063], [0066], [0079]
performing verification on the verification information [0050], [0067]
generating a device authorization message according to the device information when the verification information is verified [0080]
transmitting the generated device authorization message to the application client [0082]
storing correspondences between the user identifier, the device authorization message, and the device information [0083]
37.	As per claims 8 and 17:
Mahaffey et al. discloses the following limitations:
… device authorization message …(“(8) a stored token/cookie…” [0063])
Mahaffey et al. does not explicitly teach the following limitations:
setting previously stored device authorization message into an invalid state, or deleting the previously stored device authorization message.
However, Brinskelle, as shown, discloses the following limitations:
setting previously stored device authorization message into an invalid state, or deleting the previously stored device authorization message (Col.16, lines 38-43; Col.11, lines 41-48; Col.42, lines 22-32)
It would be have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have methods, systems, and apparatus relating to enforcement of same origin policy of sensitive data where a security agent may help ensure release of sensitive data is only triggered by authorized sources taught by Brinskelle a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer of Mahaffey et al. with the motivation to enhance a method with a new feature like the security agent can determine expired cookies that are no longer used and clearing or deleting HTTP cookies to help to protect them as taught by Brinskelle over that Mahaffey et al.
38.	As per claim 20:
Mahaffey et al. discloses the following limitations:
A non-transitory computer-readable storage medium storing instructions which when 30Oblon Ref. No.: 531341USexecuted by processing circuitry cause the processing circuitry to perform the identification code pulling method according to claim 6 [0038]
39.	Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US20140189808A1 to Mahaffey et al. in view of US20170070523A1 to Bailey et al., US8856869B1 to Brinskelle, and US7650505B1 to Masurkar.
40.	As per claims 9 and 18:
Mahaffey et al. discloses the following limitations:
… device authorization message …(“(8) a stored token/cookie…” [0063])
Mahaffey et al. does not explicitly teach the following limitations:
wherein the device authorization message is a digital certificate, and the performing the verification on the device authorization message further comprises; 
obtaining, according to a private key, certificate information from the digital certificate, the certificate information including device information, a certificate number, and a validity period of the certificate;
performing verification separately on the device information, the certificate number, and the validity period of the certificate; 
verifying the device authorization message in the pull request when the certificate information is verified;
determining that the device authorization message in the pull request fails to be verified when at least one of the device information, the certificate number, and the validity period of the certificate fails to be verified.
However, Masurkar, as shown, discloses the following limitations:
wherein the device authorization message is a digital certificate (Fig 5, items 532, 534, 536, 540 and 542; col.20, lines 62-67 – col.21, lines 1-67), and the performing the verification … comprises (Col.22, lines 41-46)
obtaining, according to a private key (col 22, lines 41-60), certificate information from the digital certificate, the certificate information including device information (Col 21, lines 4-15), a certificate number (Col.20, lines 63-67 – col.21, lines 1-3) and a validity period of the certificate (Col 21, lines 34-39)
performing verification separately on the device information, the certificate number, and the validity period of the certificate (Col. 21, lines 45-58; col. 22, lines 41-60; col 24, lines 8-28)
verifying the device authorization message in the pull request when the certificate information is verified (abstract) 
determining that the device authorization message in the pull request fails to be verified when at least one of the device information, the certificate number, and the validity period of the certificate fails to be verified (Col.24, lines 8-28)
It would be have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have a method for remote services authentication in an internet hosted environment that includes a high level process and functionality for a secure, practical and logically optimized inter-network authentication mechanism by employees, partners and customers of an enterprise into the hosted Internet site taught by Masurkar a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer of Mahaffey et al. with the motivation to enhance a method with a new feature like an authentication can be based on password or digital signature,  the encrypted digital signature cookie has the “user's digital signature”, and authentication includes initial secure password establishment upon resuming previously run sessions with the hosted server using Internet cookies as taught by Masurkar over that Mahaffey et al.
Conclusion
41.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

42.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMANULLA ABDULLAEV whose telephone number is (571)272-4367. The examiner can normally be reached Monday-Friday 9:30AM -4:30PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin L Hewitt II can be reached on 571-272-6709. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AMANULLA ABDULLAEV/Examiner, Art Unit 3692                                                                                                                                                                                                        
/CALVIN L HEWITT II/Supervisory Patent Examiner, Art Unit 3692