Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is the initial office action has been issued in response to patent application, 16/949504, filed on 30 October 2020 with a provisional date of 30 October 2019.  Claims 1-16, as originally filed, are currently pending and have been considered below.  

Information Disclosure Statement 
The information disclosure statement filed 02/05/2021 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 and the information referred to therein has been considered as to the merits.  


Claim Rejections - 35 USC § 112
The following is a quotation of the second paragraph of 35 U.S.C. 112:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claim 4:
Claim 4 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.  
Claim 4 recites the limitation “further comprising the creation”.  There is insufficient antecedent basis for this limitation in the claim.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-4, 7, 9-16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Acuna et al. (US2009/0119756 A1, publish date 05/07/2009).

Claims 1, 11, 14:
With respect to claims 1, 11, 14, Acuna et al. discloses a method/a system/a non-transitory computer-readable storage medium encoded with a plurality of instructions which, when executed by at least one processor of at least one server, cause the at least one processor to perform/ for authenticating a digital identification credential (one embodiment may exchange messages to verify a user's identity before exchanging messages related to the underlying transaction for which the user's identity is being verified, 0024, Figure 2), the method/the system comprising:
obtaining personal identifying information from an individual using a remote device comprising a processor and memory that stores executable instructions that, when executed by the processor, facilitate performance of operations (a merchant system receives client input data. This input data may comprise a customer identifier ("ID")--or more generally, a user ID, 0025) (use an authentication token in addition to the user ID (and this authentication token may be obtained at Block 200, in addition to the user ID) to enable the third-party credential service to authenticate the user, 0026);
transmitting said personal identifying information from said remote device to an application server comprising a processor and memory that stores executable instructions that, when executed by the processor, facilitate performance of operations (a merchant system receives client input data. This input data may comprise a customer identifier ("ID")--or more generally, a user ID, 0025)(Figure 2, 200)
transmitting said personal identifying information from said application server to an authoritative data repository comprising a processor and memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, 
(the third-party credential service validates the user's identity (Block 220) using the provided user ID (which is illustrated as alphabetic data in sample message 400; see reference number 402) and authentication token, 0030)(Figure 2, 220)  and a plurality of data records containing authoritative personal information (the merchant system sends the verification token to the third-party credential service, which may then forward the verification token to a data provider that provides secure access to data in the data repository, 0039) (Figure 1A, 130, 1B, 131) (private data of the user from a data repository 130, 131, 0020) and authoritative biometric information (the authenticated user's credentials are retrieved from the credential repository. These credentials may comprise, for example, a stored image of a person's physical appearance, an image of the person's signature, biometric data (such as a stored image of the person's fingerprint), and/or other forms of identifying information, 0032);
receiving, by said application server from said authoritative data repository, a response indicating whether said personal identifying information matches said authoritative personal information in a data record in said authoritative data repository (the authentication token is checked to determine whether the person providing the user ID is the person legitimately entitled to have that user ID, If the authentication succeeds, then at Block 240, the authenticated user's credentials are retrieved from the credential repository, 0031-0032) (ID matched Figure 2, 240);
receiving, by said application server from said authoritative data repository, said authoritative personal information and said authoritative biometric information stored in a matching data record in said authoritative data repository (If the authentication succeeds, then at Block 240, the authenticated user's credentials are retrieved from the credential repository. These credentials may comprise, for example, a stored image of a person's physical appearance, an image of the person's signature, biometric data (such as a stored image of the person's fingerprint), and/or other forms of identifying information, 0032) (Figure 2, 250);
obtaining biometric identifying information from said individual by said remote device; 
transmitting said biometric identifying information, from said remote device to said application server (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
transmitting said biometric identifying information and said authoritative biometric information to a biometric comparison service comprising a processor and memory that stores executable instructions that, when executed by the processor, facilitate performance of operations comprising a comparison of the extent to which said biometric identifying information matches said authoritative biometric information
(These credentials establish who the person is who is associated with the authenticated identity. The merchant then uses those credentials to verify the user's identity (Block 260), 0035) (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
receiving, by said application server from said biometric comparison service, a match score (tests whether the user's identity is successfully verified using the returned credentials, comprises ensuring that the user's credentials are still valid, 0037) (Figure 2, 270);
analyzing by said application server said match score to determine whether to issue a digital identification credential to the individual (When the test at Block 270 has a successful result, an embodiment of the invention may generate a verification token to indicate the successful verification and forward this verification token to the data provider (which may be the same entity or service as the third-party credential service), 0039) (match, generate verification token, Figure 2, 290, 295); and
transmitting, by said application server, an authentication result to said remote device
(forward this verification token to the data provider (which may be the same entity or service as the third-party credential service), the merchant system sends the verification token to the third-party credential service, which may then forward the verification token to a data provider that provides secure access to data in the data repository, 0039) (the data is transmitted to the merchant at Block 295 in encrypted form, and the user is then responsible for providing a decryption key. The merchant may prompt the user for this information, for example, using a GUI display similar to those shown in FIGS. 3A-3F. An embodiment of the present invention may optionally also transmit a verification token from the data provider when returning the requested data, 0040) (Figure 2, 295).

Claims 2, 12, 15:
With respect to claims 2, 12, 15, Acuna et al. discloses wherein said authentication result is a transmission comprising a message indicating that a valid authenticated digital identification credential will not be issued (Upon reaching Block 280, the copy of the credential data received by the merchant is preferably destroyed, 0037) (the initial request message that triggers processing of a transaction (and which is illustrated at 400 of FIG. 4A) is not sent until Block 290 is reached, may use a message similar to that of message 400, without identifying a particular type of transaction or providing transaction-related information, 0042).

Claims 3, 13, 16:
With respect to claims 3, 13, 16, Acuna et al. discloses wherein said authentication result is a transmission comprising authoritative personal information and a message indicating that a valid authenticated digital identification credential has been issued (forward this verification token to the data provider (which may be the same entity or service as the third-party credential service), the merchant system sends the verification token to the third-party credential service, which may then forward the verification token to a data provider that provides secure access to data in the data repository, 0039) (the data is transmitted to the merchant at Block 295 in encrypted form, and the user is then responsible for providing a decryption key. The merchant may prompt the user for this information, for example, using a GUI display similar to those shown in FIGS. 3A-3F. An embodiment of the present invention may optionally also transmit a verification token from the data provider when returning the requested data, 0040) (Figure 2, 295).

Claim 4:
With respect to claim 4, Acuna et al. discloses further comprising the creation, by said remote device, of a valid and authenticated digital identification credential comprising said authoritative personal information (Because the user's ID is not necessarily securely stored, embodiments of the present invention use an authentication token in addition to the user ID (and this authentication token may be obtained at Block 200, in addition to the user ID), The authentication token may comprise (by way of example) a password, personal identification number ("PIN"), biometric data, or other information usable for authenticating the user, 0026).

Claim 7:
With respect to claim 7, Acuna et al. discloses wherein said remote device is selected from the group comprising a mobile phone, tablet, or laptop computer (embodied on a card, in a cell phone, in a personal digital assistant ("PDA"), in a smart card, in a radio-frequency identification ("RFID") tag or card, and so forth, 0025).

Claim 8:
With respect to claim 8, Acuna et al. discloses wherein said authoritative data repository is a data repository maintained by or on behalf of a governmental entity (a third-party credential service ("3PCS") 120, Figure 1A).

Claim 9:
With respect to claim 9, Acuna et al. discloses further comprising:
receiving by said application server a request from said remote device that said application server transmit said authoritative personal information to a relying party
(Because the user's ID is not necessarily securely stored, embodiments of the present invention use an authentication token in addition to the user ID (and this authentication token may be obtained at Block 200, in addition to the user ID) to enable the third-party credential service to authenticate the user, The authentication token is sent, along with the user's ID, from the merchant system to the third-party credential service (Block 210), 0026);
transmitting said authoritative personal information by said application server to a relying party device (from the merchant system to the third-party credential service (Block 210), 0026);
receiving by said application server a response from said relying party device indicating whether real-time verification of said individual should be performed (the third-party credential service validates the user's identity (Block 220) using the provided user ID (which is illustrated as alphabetic data in sample message 400; see reference number 402) and authentication token, 0030);
obtaining current biometric identifying information from said individual by said remote device, transmitting said current biometric identifying information from said remote device to said application server (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
transmitting a request from said application server to said authoritative data repository for current authoritative biometric information for said individual (These credentials establish who the person is who is associated with the authenticated identity. The merchant then uses those credentials to verify the user's identity (Block 260), 0035) (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
receiving, by said application server from said authoritative data repository said current authoritative biometric information for said individual (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
transmitting said current biometric identifying information and said current authoritative biometric information to a biometric comparison service comprising a processor and memory that stores executable instructions that, when executed by the processor, facilitate performance of operations comprising a comparison of the extent to which said biometric identifying information matches said authoritative biometric information (These credentials establish who the person is who is associated with the authenticated identity. The merchant then uses those credentials to verify the user's identity (Block 260), 0035) (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
receiving, by said application server from said biometric comparison service, a current match score (tests whether the user's identity is successfully verified using the returned credentials, comprises ensuring that the user's credentials are still valid, 0037) (Figure 2, 270, Match);
analyzing by said application server said current match score to determine whether to issue a digital identification credential to the individual (When the test at Block 270 has a successful result, an embodiment of the invention may generate a verification token to indicate the successful verification and forward this verification token to the data provider (which may be the same entity or service as the third-party credential service), 0039) (match, generate verification token, Figure 2, 290, 295); and 
transmitting, by said application server, an authentication result to said relying party device (forward this verification token to the data provider (which may be the same entity or service as the third-party credential service), the merchant system sends the verification token to the third-party credential service, which may then forward the verification token to a data provider that provides secure access to data in the data repository, 0039) (the data is transmitted to the merchant at Block 295 in encrypted form, and the user is then responsible for providing a decryption key. The merchant may prompt the user for this information, for example, using a GUI display similar to those shown in FIGS. 3A-3F. An embodiment of the present invention may optionally also transmit a verification token from the data provider when returning the requested data, 0040) (Figure 2, 295).

Claim 10:
With respect to claim 10, Acuna et al. discloses further comprising:
receiving by said application server a request from said relying party device that said application server transmit said authoritative personal information to a relying party (Because the user's ID is not necessarily securely stored, embodiments of the present invention use an authentication token in addition to the user ID (and this authentication token may be obtained at Block 200, in addition to the user ID) to enable the third-party credential service to authenticate the user, The authentication token is sent, along with the user's ID, from the merchant system to the third-party credential service (Block 210), 0026);
receiving by said application server an authorization from said remote device authorizing application server to transmit said authoritative personal information to said relying party (an authorization token 404, 0029);
transmitting said authoritative personal information by said application server to a relying party device (from the merchant system to the third-party credential service (Block 210), 0026);
receiving by said application server a response from said relying party device indicating whether real-time verification of said individual should be performed (the third-party credential service validates the user's identity (Block 220) using the provided user ID (which is illustrated as alphabetic data in sample message 400; see reference number 402) and authentication token, 0030);
obtaining current biometric identifying information from said individual by said remote device, transmitting said current biometric identifying information from said remote device to said application server (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
transmitting a request from said application server to said authoritative data repository for current authoritative biometric information for said individual (These credentials establish who the person is who is associated with the authenticated identity. The merchant then uses those credentials to verify the user's identity (Block 260), 0035) (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
receiving, by said application server from said authoritative data repository said current authoritative biometric information for said individual (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
transmitting said current biometric identifying information and said current authoritative biometric information to a biometric comparison service comprising a processor and memory that stores executable instructions that, when executed by the processor, facilitate performance of operations comprising a comparison of the extent to which said biometric identifying information matches said authoritative biometric information (These credentials establish who the person is who is associated with the authenticated identity. The merchant then uses those credentials to verify the user's identity (Block 260), 0035) (Merchant verifies clients identity by visually inspecting picture sent, matching biometric fingerprint, matching signature, Figure 2, 260);
receiving, by said application server from said biometric comparison service, a current match score (tests whether the user's identity is successfully verified using the returned credentials, comprises ensuring that the user's credentials are still valid, 0037) (Figure 2, 270, Match);
analyzing by said application server said current match score to determine whether to issue a digital identification credential to the individual (When the test at Block 270 has a successful result, an embodiment of the invention may generate a verification token to indicate the successful verification and forward this verification token to the data provider (which may be the same entity or service as the third-party credential service), 0039) (match, generate verification token, Figure 2, 290, 295); and 
transmitting, by said application server, an authentication result to said relying party device (forward this verification token to the data provider (which may be the same entity or service as the third-party credential service), the merchant system sends the verification token to the third-party credential service, which may then forward the verification token to a data provider that provides secure access to data in the data repository, 0039) (the data is transmitted to the merchant at Block 295 in encrypted form, and the user is then responsible for providing a decryption key. The merchant may prompt the user for this information, for example, using a GUI display similar to those shown in FIGS. 3A-3F. An embodiment of the present invention may optionally also transmit a verification token from the data provider when returning the requested data, 0040) (Figure 2, 295).








Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 5, 6, 8 are rejected under 35 U.S.C. 103 as being unpatentable over Acuna et al. (US2009/0119756 A1, publish date 05/07/2009) in view of NPL: Grassi, Paul A. et al., “Digital Identity Guidelines: Authentication and Lifecycle Management,” National Institute of Standards and Technology (Jun. 22, 2017) (on applicants IDS filed 02/05/2021).

Claim 5:
With respect to claim 5, Acuna et al. discloses the limitations of claim 1, as addressed. 

Acuna et al. does not disclose wherein the method is implemented in compliance with digital identity guidelines contained in the National Institute of Standards and Technology’s SP-800-63 Digital Identity Guidelines document suite as claimed.

However, NPL Grassi, Paul A teaches guidelines provide technical requirements for federal agencies implementing digital identity services (abstract), wherein the method is implemented in compliance with digital identity guidelines contained in the National Institute of Standards and Technology’s SP-800-63 Digital Identity Guidelines document suite (“Digital Identity Guidelines: Authentication and Lifecycle Management,” National Institute of Standards and Technology).

Acuna et al. and Grassi are analogous art because they are from the same field of endeavor of digital identity authentication.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Grassi in Acuna et al. for wherein the method is implemented in compliance with digital identity guidelines contained in the National Institute of Standards and Technology’s SP-800-63 Digital Identity Guidelines document suite as claimed for purposes of providing guidelines to cover identity spoofing and authentication of users interacting with government IT systems (see Grassi Abstract).

Claim 6:
With respect to claim 6, Acuna et al. discloses the limitations of claim 1, as addressed. 

Acuna et al. discloses wherein said personal identifying information comprises information contained on a tangible identification credential (This input data may comprise a customer identifier ("ID")--or more generally, a user ID--embodied on a card, in a cell phone, in a personal digital assistant ("PDA"), in a smart card, in a radio-frequency identification ("RFID") tag or card, and so forth. In a scenario where a person carries a card containing an ID and presents this card in a purchase transaction, 0025).

Acuna et al. does not discloses issued by a governmental entity as claimed.

However, NPL Grassi, Paul A teaches guidelines provide technical requirements for federal agencies implementing digital identity services (abstract), issued by a governmental entity (“Digital Identity Guidelines: Authentication and Lifecycle Management,” National Institute of Standards and Technology) (guidelines to cover identity spoofing and authentication of users interacting with government IT systems, Abstract).

Acuna et al. and Grassi are analogous art because they are from the same field of endeavor of digital identity authentication.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Grassi in Acuna et al. for issued by a governmental entity as claimed for purposes of providing guidelines to cover identity spoofing and authentication of users interacting with government IT systems (see Grassi Abstract).

Claim 8:
With respect to claim 8, Acuna et al. discloses the limitations of claim 1, as addressed. 

Acuna et al. discloses wherein said authoritative data repository is a data repository maintained (a third-party credential service ("3PCS") 120, Figure 1A).

Acuna et al. does not disclose by or on behalf of a governmental entity as claimed.

However, NPL Grassi, Paul A teaches guidelines provide technical requirements for federal agencies implementing digital identity services (abstract), by or on behalf of a governmental entity (“Digital Identity Guidelines: Authentication and Lifecycle Management,” National Institute of Standards and Technology) (guidelines to cover identity spoofing and authentication of users interacting with government IT systems, Abstract).

Acuna et al. and Grassi are analogous art because they are from the same field of endeavor of digital identity authentication.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Grassi in Acuna et al. for by or on behalf of a governmental entity as claimed for purposes of providing guidelines to cover identity spoofing and authentication of users interacting with government IT systems (see Grassi Abstract).



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, (see PTO Form 892).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HELAI SALEHI/           Examiner, Art Unit 2433      

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433