Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



 Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-17  is/are rejected under 35 U.S.C. 103 as being unpatentable over Schmidt (US 2011/0010543) in view of Pavlicic (US 2007/0220259) further in view of Merrien (US 2003/0084311)


Regarding Claim 1,


Schmidt (US 2011/0010543) teaches a method for creating device certificates for electronic devices comprising the steps of:

- providing an electronic device that has a secret stored therein which is not readable from outside the device (Paragraph [0045] Endorsement Key);
- creating a device certificate whose certificate information is cryptographically bound to the secret, wherein said device certificate comprises a digital signature generated using a signing key (Paragraph [0045] teaches EK certificate) 

Schmidt does not explicitly teach wherein the certificate is authenticatable by means of a certificate chain, 
the certificate chain being a sequence of at least two certificates starting with the device certificate, wherein each certificate of the certificate chain comprises an information defining the validity period of the respective certificate, and wherein each certificate of the certificate chain with the exception of the device certificate comprises a certificate information by means of which the respective previous certificate in the sequence is authenticatable; and 
- creating a confirmation information which confirms that the device certificate was created by an authorized entity; 
in response to the confirmation information, providing a digitally signed piece of status information for the device certificate, which comprises a proof that the device certificate was created by an authorized entity
Pavlicic (US 2007/0220259) teaches a certificate is authenticatable by means of a certificate chain, 
the certificate chain being a sequence of at least two certificates starting with the device certificate (Paragraph [0005, 0019] “chains of certificates”), wherein each certificate of the certificate chain comprises an information defining the validity period of the respective certificate (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid), and wherein each certificate of the certificate chain with the exception of the device certificate comprises a certificate information by means of which the respective previous certificate in the sequence is authenticatable (Paragraph [0040] teaches validating certificate chain); and 
- creating a confirmation information which confirms that the device certificate was created by an authorized entity (Figure 2 and associated text); 
in response to the confirmation information, providing a digitally signed piece of status information for the device certificate, which comprises a proof that the device certificate was created by an authorized entity (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid),
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Schmidt with the certificate chain method of Pavlicic
The motivation is to verify electronic signatures (Paragraph [0004] of Pavlicic)
Schmidt and Pavlicic teaches the method as claimed in claim 1 but does not explicitly teach wherein the confirmation information comprises that the device certificate or an information derived from the device certificate is stored in a retrievable manner in a database
Merrien (US 2003/0084311) teaches wherein the confirmation information comprises that the device certificate or an information derived from the device certificate is stored in a retrievable manner in a database (Paragraph [0059-0061] teaches an escrow database used by the manufacture to retrieve device certificate information)(Also See Figure 10 and associated text)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Schmidt and Pavlicic with the database of Merrien
The motivation is to indicate the devices that the device certificates are bound to (Paragraph [0062] Merrien)


Regarding Claim 2,

Schmidt,  Pavlicic and Merrien teaches the method as claimed in claim 2. Pavlicic teaches further comprising the step of: - providing a digitally signed piece of status information for at least one further certificate of the certificate chain, which comprises a proof that the further certificate was created by an authorized entity (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid),..

Regarding Claim 3,

Schmidt,  Pavlicic and Merrien teaches the method as claimed in claim 1. Pavlicic teaches wherein the created device certificate and/or at least one further certificate of the certificate chain and/or the digitally signed timestamp and/or at least one digitally signed piece of status information is provided in accessible form in a manner so as to be attributable to the device, in particular by being stored in a readable memory or a storage medium associated with the electronic device or arranged in the electronic device, or by being provided via a directory service (Figure 2 shows signed timestamp is accessible in a memory).


Regarding Claim 4,

Schmidt,  Pavlicic and Merrien teaches the method as claimed in claim 1 wherein different signing keys are used for the generation of the digital signature of the device certificate and the digital signature of the piece of status information (Paragraph [0045] Endorsement Key, of Schmidt) (Paragraph [0022] teaches a timestamp signature of Pavlicic);.

Regarding Claim 5,

Schmidt,  Pavlicic and Merrien teaches the method as claimed claim 1. Pavlicic teaches further comprising the steps of: - detecting an unauthorized use of a signing key used for signing a first certificate of the certificate chain and generating a digitally signed piece of status information for the certificate subsequent to the first certificate in the certificate chain (Paragraph [0020] teaches unauthorized certificate, and a certificate revocation list), wherein the piece of status information comprises a revocation information which identifies the certificate subsequent to the first certificate in the certificate chain as invalid for all checking times after the time at which the unauthorized use has been detected (Paragraph [0040] teaches revocation information identifying certificate as invalid).

Regarding Claim 6,

Schmidt, Pavlicic and Merrien teaches the method as claimed in claim 1. Schmidt teaches wherein the secret is a private part of an asymmetric key pair (Paragraph [0034] teaches asymmetric key pair).

Regarding Claim 7,

Schmidt, Pavlicic and Merrien teaches the method as claimed in claim 1. Schmidt teaches wherein the secret is stored in a chip of the device (Paragraph [0036-0037] tamper-resistant chip)(Paragraph [0060])



Regarding Claim 8,

Schmidt teaches a method for checking the validity of a device certificate, comprising the steps of: - providing a device certificate; whether a binding of the device certificate to the device exists, by means of a secret stored in a memory of the device which is not readable from outside the device (Paragraph [0045] Endorsement Key) 
Schmidt does not explicitly teach the remaining limitations.

Pavlicic (US 2007/0220259) teaches providing a trusted certificate wherein the device certificate is linkable with the trusted certificate via a certificate chain, wherein the certificate chain is a sequence of at least two certificates starting with the device certificate and terminating with the trusted certificate (Paragraph [0005, 0019] “chains of certificates”), wherein each certificate in the certificate chain comprises an information defining the validity period of the respective certificate (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid), and wherein each certificate  of the certificate chain with the exception of the device certificate  comprises a certificate information by means of which the respective previous certificate in the sequence is authenticatable (Paragraph [0040] teaches validating certificate chain); - defining an associated checking time for each certificate of the certificate chain; - providing a digitally signed piece of status information that is associated with the device certificate, wherein the piece of status information identifies the device certificate as valid or invalid and comprises an information which defines the validity period of the piece of status information (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid); and wherein said digitally signed piece of status information is provided in response to a confirmation information, wherein said confirmation information confirms that the device certificate was created by an authorized entity (Figure 2 and associated text); (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid), defining an associated checking time for the piece of status information associated with the device certificate; - checking. - whether the device certificate  is successfully authenticatable by means of the certificate chain; - for each certificate of the certificate chain, whether the associated checking time is within the validity period of the respective certificate (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid);-

whether the associated checking time of the piece of status information associated with the device certificate (630) is within the validity period of the piece of status information; - whether the piece of status information associated with the device certificate identifies the device certificate as valid, wherein an identification of the device certificate as valid comprises a proof that the device certificate was created by an authorized entity; wherein if the check is successful the device certificate is identified as valid, otherwise as invalid (Paragraph [0005, 0019, 0022, 0040]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Schmidt with the certificate chain method of Pavlicic
The motivation is to verify electronic signatures (Paragraph [0004] of Pavlicic)
Schmidt and Pavlicic do not explicitly teach wherein the proof is derived from the fact that the certificate or information derived from the certificate is stored in a predefined database and wherein the confirmation information comprises that the device certificate or an information derived from the device certificate is stored in a retrievable manner in a predefined database;
Merrien teaches the proof is derived from the fact that the certificate or information derived from the certificate is stored in a predefined database and wherein the confirmation information comprises that the device certificate or an information derived from the device certificate is stored in a retrievable manner in a predefined database;
(Paragraph [0059-0061] teaches an escrow database used by the manufacture to retrieve device certificate information) (Also See Figure 10 and associated text)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Schmidt and Pavlicic with the database of Merrien
The motivation is to indicate the devices that the device certificates are bound to (Paragraph [0062] Merrien)


Regarding Claim 9,

Schmidt, Pavlicic and Merrien teaches the method as claimed in claim 11. Pavlicic teaches further comprising the steps of: - providing an associated digitally signed piece of status information for at least one further certificate  of the certificate chain, wherein the piece of status information identifies the further certificate  as valid or invalid and comprises an information which defines the validity period of the piece of status information (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid); - defining an associated checking time for each piece of status information; - identifying the device certificate as valid only if; - for each piece of status information the associated checking time is within the validity period of the respective piece of status information (Figure 2, electronic signature and timestamp); and - each piece of status information identifies the respectively associated further certificate as valid, wherein the identification of the further certificate as valid comprises a proof that the further certificate was created by an authorized entity (Figure 3, 304, 312, 322). Merrien teaches the proof is derived from the fact that the certificate or information derived from the certificate is stored in a predefined database and wherein the confirmation information comprises that the device certificate or an information derived from the device certificate is stored in a retrievable manner in a predefined database;

(Paragraph [0059-0061] teaches an escrow database used by the manufacture to retrieve device certificate information)




Regarding Claim 10,

Schmidt and Pavlicic teaches the method as claimed in claim 11. Pavlicic teaches wherein the point in time at which the validity check of the device certificate is performed is defined as the associated checking time for at least one of the certificates of the certificate chain and/or at least one of the pieces of status information (Paragraph [0022] teaches a timestamp signature attesting the certificate chain was valid).


Regarding Claim 11,

Schmidt and Pavlicic teaches the method as claimed in claim 11. Pavlicic teaches wherein the point in time at which the preceding certificate in the certificate chain was created or at which the validity period of the preceding certificate in the certificate chain starts is defined as the associated checking time for at least one of the certificates of the certificate chain and/or for the piece of status information associated with this certificate (Paragraph [0005, 0019, 0022, 0040])..

Regarding Claim 12,

Schmidt and Pavlicic teaches the method as claimed in claim 11. Schmidt teaches wherein the device certificate has the function of a certificate of authenticity or of an ownership certificate, and/or the device certificate is provided as an attribute certificate (Paragraph [0045] teaches EK certificate).

Regarding Claim 13,

Schmidt and Pavlicic teaches the method as claimed in claim 11. Pavlicic teaches wherein the certificate chain comprises at least one intermediate certificate which is arranged between the device certificate and the trusted certificate in the sequence defined by the certificate chain (Paragraph [0019]).

Regarding Claim 14,

Schmidt, Pavlicic and Merrien teaches the method as claimed in claim 11, but does not explicitly teach wherein the trusted certificate is a self-signed root certificate.
The Examiner takes Official Notice that self-signed root certificates are well known in the art.
It would have been obvious to one of ordinary skill to modify Schmidt and Pavlicic with a self-signed root certificate and the results would be predictable (i.e. the certificate chain of Pavlicic would include a self-signed root certificate)

Regarding Claim 15,

Schmidt and Pavlicic  and Merrien teaches a system for checking the validity of a device certificate, adapted to perform a method as claimed in claim 11 and is rejected for a similar rationale. Pavlov teaches the system devices comprising:- a checking device  for checking the validity of a device certificate stored in a memory of an electronic device by means of a certificate chain; and - a certificate information server which the checking device can access to request a piece of status information for at least one certificate of the certificate chain (Figure 1, verifier 118 and timestamp authority, 110, also see Figure 2) 


Regarding Claim 16,

Schmidt and Pavlicic and Merrien teaches an electronic device, comprising a memory that is not readable from outside the device and in which a secret is stored, and a readable memory, wherein the readable memory stores all information required for carrying out a method as claimed in claim 11 and is rejected for a similar rationale, in particular certificates of the certificate chain, pieces of status information, and/or timestamps (Above cited portions of Schmidt and Pavlicic in rejection of Claim 11).


Regarding Claim 17,

Claim 17 is similar in scope to Claim 16 and is rejected for a similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462. The examiner can normally be reached M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HARRIS C WANG/Primary Examiner, Art Unit 2439