Detailed Action
 	- Claims 1, 3, 20 and 21 have been amended.
	- No claims are added. No claims are canceled.
	- Objection to claim 3 is withdrawn based on the claim amendments.
	- The double patenting rejection is withdrawn based on the filed and approved terminal disclaimer.
	- Claims 1-21 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s Remarks filed on 6/3/2022 have been fully considered, however they are moot in view of the newly cited paragraphs necessitated by the amendment.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4 and 6-16, 18 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over High et al (US Pub.No.2018/0167394) in view of Eberwine et al (US Pub.No.2015/0350913).

Re Claim 1. High discloses system for credential authentication, comprising: an interface configured to: receive a create indication to create a guest credential (i.e. controlling access to a locked space may begin at step 301 wherein an access code and a private key are generated by the computing system 120. Step 302 hashes the access code so that a size of the data can be uniform, or a fixed size. Step 303 encrypts the hashes access code with a public key to create a digital signature. The digital signature may be stored on the blockchain, to ensure that the hashed access code is not modified) [High, para.0045] representing a guest badge 5associated with a visitor (i.e. For example, a previously authenticated receiving device possessed by a repairman may approach a locked space, such as a front door of a home. A camera positioned proximate the front door of the home may capture an image of a badge or other credentials of the repairman to verify that the authenticated receiving device 112 is possessed by the actual repairman) [High, para.0036]; and receive a claim indication from an authentication device to claim the guest credential (i.e. Step 304 authenticates a receiving device 112 that is requesting permission to access a locked space) [High, para.0045] and a processor configured to: provide the guest credential to the authentication device in response to the claim 10indication (i.e. Step 305 transmits the private key and digital signature to authenticated receiving device) [High, para.0045]; provide a proof request to the authentication device (i.e. step 306 instructs the authenticated receiving device 112 to decrypt the digital signature the authenticated using the private key to obtain the hashed access code, and transmit the hashed access code to the computing system 120) [High, para.0046]; receive a proof response from the authentication device, wherein the proof response comprises the guest credential; validate the proof response using a distributed ledger (i.e. Prior to communicating with the locking mechanism 111 to unlock the locked space, the computing system 120 may access the blockchain to confirm that the hashed access code received from the receiving device matches the hashed access code stored on the blockchain ) [High, para.0046], comprising to verify that the authentication device has communicated with a guest check-in site associated with the guest credential within a predefined time period (i.e. wherein the locked space is accessible for a limited time, and when the limited time passes, the private key is no longer valid to gain access to locked space and a new access code is generated) [High, claim 3]; determine a visitor tracking system associated with a request from the isauthentication device to authenticate entry; and provide a check-in indication to a visitor [tracking] system that the visitor has checked in (i.e. transmitting the hashed access code to the computing system, so that the computing system 120 sends a signal to the locking mechanism 111 to actuate a locking device to provide access to the locked space) [High, para.0028].
	Although High discloses transmitting the check-in indication to the lock device (i.e. a visitor system), High does not explicitly disclose that the lock device is a tracking system, however Eberwine discloses providing the check-in indication to a visitor tracking system: (i.e. communicate the lock device payload information to the access control system 106. At step 224, the access control system 106 may register, or otherwise record or store information received from the communicated lock device payload. Such registering may associate the received information from the lock device payload with the associated register user account and/or the lock device 104. For example, according to certain embodiments, the access control system 106 may register information from the lock device payload such as, for example, the one or more lock device identifiers such as, for example, a field device reset identifier, in a database 134) [Eberwine, para.0028].
 It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify High with Eberwine because, in Eberwine, different levels of permissions are provided so that an administrative mobile device 102a may be granted authority or a permission level in connection with administrative tasks relating to managing and/or configuring the lock devices 104 of the system 100, while user mobile devices 102b may be configured for general use of the lock devices 104 such as, for example, at least day-to-day routine operation or use of the lock device [Eberwine, para.0020].

Re Claims 20 and 21. These claims recite features similar to those recite in claim 1, therefore they are rejected in a similar manner.
	
Re Claim 2. High in view of Eberwine discloses the system of claim 1, Eberwine further discloses: wherein the create indication to create a guest credential is associated with an email address, a user ID, or a user account (i.e.  the access control system 106 may be provided with identification information relating to the user mobile device 102b and/or the associated user such as, for example, contact information such as a phone number or email address associated with the user) [Eberwine, para.0031].
 The same motivation to modify with Eberwine, as in claim 1, applies.

20 Re Claim 3. High in view of Eberwine discloses the system of claim 1, High further discloses: wherein the claim indication from the authentication device to claim the guest credential comprises a one-time token being used that causes generation of a [decentralized identifier DID] keypair, and that causes providing the guest credential to the authentication device  (i.e. The access code or the hashed access code may be encrypted with a public key (or private key in some embodiments) to create a digital signature. The private key and the public key may be generated by the encryption module 131 at the same time. The public key and the private key may be generated along with a generation of the access code, or in response to the generation of the access code. Embodiments of the private key and the public key may be cryptographic keys. The private key may be unique to one device, person, account, etc. In one embodiment, the access code or hashed access code may be encrypted with the public key to create a digital signature. In other embodiments, the access code or hashed access code may be encrypted with the private key to create a digital signature. Embodiments of the digital signature may then be stored on a block of a blockchain, such as publicly distributed transaction ledger 113. Embodiments of the computing system 120 may further include a blockchain module(s) that include one or more components of hardware and/or software program code for accessing and/or utilizing the publicly distributed transactions ledger 113 (i.e. blockchain) to store and/or view transaction information, such as the hashed access code and the digital signature, details regarding who is requesting access, who is providing access, time details, the space, and, the like, using the public key and/or the private key generated by the computing system………………………….. Furthermore, a new transaction may be generated on the blockchain that the receiving device gained access to the locked space on the blockchain using the private key. This may prevent the receiving device 112 from using the same hashed code more than once in situations where access may be granted for a single time only) [High, para.0031-0033], wherein the private key component is stored on the authentication device (i.e. In some embodiments, the data, such as a private key, may be stored in storage device 225 of memory system 205 of the receiving device 112) [High, para.0026]  and the public key component is stored on the distributed ledger (i.e. Embodiments of the computing system 120 may further include a blockchain module(s) that include one or more components of hardware and/or software program code for accessing and/or utilizing the publicly distributed transactions ledger 113 (i.e. blockchain) to store and/or view transaction information, such as the hashed access code and the digital signature, details regarding who is requesting access, who is providing access, time details, the space, and, the like, using the public key and/or the private key generated by the computing system 120) [High, para.0031, Note: since system 120 may include a blockchain module, then it may be interpreted as the distributed ledger, and as such the public key is stored on the distributed ledger].  
 	High does not explicitly disclose that the keypair is a decentralized identifier DID, however Eberwine discloses DID (i.e. indicate or identify which distributed credential identifiers are to be updated) [Eberwine, para.0053].
 The same motivation to modify with Eberwine, as in claim 1, applies.
  
25 Re Claim 4. High in view of Eberwine discloses the system of claim 1, High further discloses: wherein the processor is further configured to verify the guest credential is associated with the authentication device (i.e. Prior to communicating with the locking mechanism 111 to unlock the locked space, the computing system 120 may access the blockchain to confirm that the hashed access code received from the receiving device matches the hashed access code stored on the blockchain) [High, para.0046].  

Re Claim 6. High in view of Eberwine discloses the system of claim 1, High further discloses: wherein the proof request is provided in response to a request to authenticate entry received from the authentication device (i.e. Step 304 authenticates a receiving device 112 that is requesting permission to access a locked space………………………. step 306 instructs the authenticated receiving device 112 to decrypt the digital signature the authenticated using the private key to obtain the hashed access code, and transmit the hashed access code to the computing system 120) [High, para.0045-0046]. 

Re Claim 7. High in view of Eberwine discloses the system of claim 6, High further discloses: wherein the request to authenticate entry is provided by the 5authentication device in response to an authentication request from the guest check-in site (i.e. The presence of the receiving device 112 may be detected or otherwise received by one or more input mechanisms 110. Step 402 determines whether the receiving device 112 has entered within a predefined proximity to the locked space. If not, then the step 401 continues to detect a presence. If yes, then step 402 determines whether the receiving device 112 that has entered the proximity is authenticated. If not, then step 401 continues to detect a presence of a receiving device. If yes, then step 404 transmits the private key to the receiving device 112) [High, para.0045, Fig. 6, the check-in system requires the device to be authenticated upon detecting its presence], (i.e. authenticating, by the processor, a receiving device in response to a request from the receiving device to gain access to the locked space) [High, para.0005].  

Re Claim 8. High in view of Eberwine discloses the system of claim 7, High further discloses: wherein the authentication request from the guest check-in site is provided in response to a check-in request from the authentication device (i.e. The presence of the receiving device 112 may be detected or otherwise received by one or more input mechanisms 110. Step 402 determines whether the receiving device 112 has entered within a predefined proximity to the locked space. If not, then the step 401 continues to detect a presence. If yes, then step 402 determines whether the receiving device 112 that has entered the proximity is authenticated. If not, then step 401 continues to detect a presence of a receiving device. If yes, then step 404 transmits the private key to the receiving device 112) [High, para.0045, Fig. 6, the check-in system requires the device to be authenticated upon detecting its presence], (i.e. authenticating, by the processor, a receiving device in response to a request from the receiving device to gain access to the locked space) [High, para.0005].  
  
Re Claim 9. High in view of Eberwine discloses the system of claim 8, High further discloses: wherein the check-in request from the authentication device is provided automatically upon detection of proximity of the authentication device to the guest 10check-in site i.e. The presence of the receiving device 112 may be detected or otherwise received by one or more input mechanisms 110. Step 402 determines whether the receiving device 112 has entered within a predefined proximity to the locked space. If not, then the step 401 continues to detect a presence. If yes, then step 402 determines whether the receiving device 112 that has entered the proximity is authenticated. If not, then step 401 continues to detect a presence of a receiving device. If yes, then step 404 transmits the private key to the receiving device 112) [High, para.0045, Fig. 6]. 

Re Claim 10. High in view of Eberwine discloses the system of claim 7, Eberwine further discloses: wherein the authentication device and the guest check-in site communicate using a wireless protocol (i.e. For example, according to certain embodiments, the lock device 104 may have a transceiver 118 that allows for Bluetooth low energy communication between the mobile device 102 and the lock device 104. Further, according to certain embodiments, the mobile device 102 and the lock device 104 may communication via NFC and/or WiFi (such as WiFi Direct)) [Eberwine, para.0021].
The same motivation to modify with Eberwine, as in claim 1, applies.

Re Claim 11. High in view of Eberwine discloses the system of claim 10, Eberwine further discloses: wherein the wireless protocol comprises Bluetooth, NFC, or Zigbee (i.e. For example, according to certain embodiments, the lock device 104 may have a transceiver 118 that allows for Bluetooth low energy communication between the mobile device 102 and the lock device 104. Further, according to certain embodiments, the mobile device 102 and the lock device 104 may communication via NFC and/or WiFi (such as WiFi Direct)) [Eberwine, para.0021].
The same motivation to modify with Eberwine, as in claim 1, applies.

is Re Claim 12. High in view of Eberwine discloses the system of claim 6, High further discloses: wherein the request to authenticate entry from the authentication device comprises a check-in site identifier (i.e. the receiving device 112 may be required to scan a unique identifier of the locked space or locked device before requesting access) [High, para.0026].  

Re Claim 13. High in view of Eberwine discloses the system of claim 1, High further discloses: wherein the proof response comprises the guest credential (i.e. the digital signature represents an encrypted hashed access code……………..the receiving device 112 may transmit the hashed access code to the decryption module 133. The decryption module 133 may compare the received hashed access code to the hashed code stored on the blockchain, and if the received hashed access code is the same as the hashed access code stored on the blockchain, then the computing system 120 may allow access to the locked space) [High, para.0037].
  
Re Claim 14. High in view of Eberwine discloses the system of claim 1, High further discloses: wherein the proof response is signed with an authentication device private key (i.e. step 306 instructs the authenticated receiving device 112 to decrypt the digital signature the authenticated using the private key to obtain the hashed access code, and transmit the hashed access code to the computing system 120) [High, para.0046], (i.e. The private key may be unique to one device, person, account, etc.) [High, para.0031].  

20 Re Claim 15. High in view of Eberwine discloses the system of claim 1, High further discloses: wherein validating the proof response using the distributed ledger comprises determining that the guest credential is satisfactory to authenticate check-in (i.e. the digital signature represents an encrypted hashed access code……………..the receiving device 112 may transmit the hashed access code to the decryption module 133. The decryption module 133 may compare the received hashed access code to the hashed code stored on the blockchain, and if the received hashed access code is the same as the hashed access code stored on the blockchain, then the computing system 120 may allow access to the locked space) [High, para.0037], determining that a guest credential signature is valid, determining that the guest credential is not expired (i.e. wherein the locked space is accessible for a limited time, and when the limited time passes, the private key is no longer valid to gain access to locked space) [High, claim 3], or determining that the guest credential is not revoked by looking in the distributed ledger (i.e. The computing system 120 can treat the hashed access code as one cryptocurrency unit, and when the hashed access code is sent to the computing system 120, the lone cryptocurrency unit is spent. Any attempt to resend the hashed access code will not be successful in gaining access because the computing system 120 will access the blockchain, which by virtue of the distributed ledger, will not issue a consensus that the receiving device 112 has a remaining cryptocurrency to spend on gaining access to a particular locked space) [High, para.0033].  

25 Re Claim 16. High in view of Eberwine discloses the system of claim 1, High further discloses: wherein validating the proof response comprises determining that the visitor has a scheduled appointment or an employee authorization to enter (i.e. The request from the receiving device 112 may be seeking access based on an agreement to access the locked space, an offer to access the locked space, permission received to access the locked space, scheduled delivery to the locked space, and the like, the transaction and/or details of which may be stored on an authentication database 113. Embodiments of the authentication database 113 may be one or more databases, servers, storage devices, nodes, etc. that store transactions relating to accessing a locked space. For example, the authentication database 113 may include data and/or information on a parcel being shipped to a locked delivery receptacle at a particular location. The delivery person charged with delivering the parcel may carry a handheld device (e.g. a receiving device 112), and may approach the locked delivery box to deliver the parcel. The device 112 may send a request to the computing system 120 as part of an authenticating step of providing access to the locked space. In response to receiving the request, the authentication module 132 of the computing system 120 may access authentication database 113 to verify that indeed the delivery receptacle is expecting a parcel delivery on that particular day) [High, para.0034].  

Re Claim 18. High in view of Eberwine discloses the system of claim 1, Eberwine further discloses: wherein the claim indication from an authentication device to claim the guest credential is provided in response to an authentication device digital identification app setup (i.e. The invitation may include a variety of information including, for example, an invitation to download an application 136 onto the user mobile device 102b and/or to register with the access control system 106. If the user elects to join the system 100, then at step 308, the application 136 may be downloaded to the user mobile device 102b, and the user may enroll in the access control system 106……………………. the access control system 106 may encrypt the user mobile device payload using the master key and a user mobile device identifier. Moreover, according to certain embodiments, the access control system 106 may encrypt the user mobile device payload using the master key, a user mobile device identifier, and the diversification algorithm to generate the user diversification key. The encrypted user mobile device payload may include a variety of information including, for example, one or more user mobile device identifiers and other information needed for the user mobile device 102b to work with the lock device 104 including, for example, information indicating the permission level assigned to the user mobile device 102b, credential identifiers, a lock identifier) [Eberwine, para.0032-0033].
The same motivation to modify with Eberwine, as in claim 1, applies.
  
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over High in view of Eberwine as applied to claim 4, and further in view of Burch et al (US Pub.No. 2015/0278500).

Re Claim 5. High in view of Eberwine discloses the system of claim 4, High in view of Eberwine does not explicitly disclose whereas Burch does: wherein verifying the guest credential is associated with the authentication device comprises comparing a guest credential email address with an Attorney Docket No. WORKPI92141 PATENTauthentication device email address (i.e.  In an embodiment, at 313, the proxy compares an email address associated with the principal that is received with the request to information included with the access token as part of the validating) [Burch, para.0075].
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify High in view of Eberwine with Burch because in Burch, Once the PSAO is created and stored, it can be delivered to the external principal in a variety of customized manners, such as via an email to the external principal (external principal being a different user from the user that created the PSAO) [Burch, para.0034].

Claims 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over High et al (US Pub.No.2018/0167394) in view of Eberwine et al (US Pub.No. 2015/0350913), as applied to claims 1 and 18, and further in view of Liebl et al (US Pub.No.2015/0288694).

Re Claim 17. High in view of Eberwine discloses the system of claim 1, High in view of Eberwine does not explicitly disclose whereas Liebl does: wherein the create indication to create a guest credential is provided by a human resources system guest setup process (i.e. consider a scenario in which Technology Company (604) has hired a new employee (614). The new employee requires access to several laboratories in order to perform the new job. The laboratories may be accessed via a lab access door (616). Technology Company (604) acts as the resource control entity, controlling access to the resource which, in the present example, is a laboratory……………………………. In order to enroll the new employee in the user authentication process, Technology Company (604) sends an enrollment request, corresponding to the new employee (614), to a ledger (612) of a transaction authentication system (610). The enrollment request includes a user identifier and a user email address. The user identifier and user email address are stored in the ledger repository (not shown) as user metadata. In response to the enrollment request, the ledger (612) generates an enrollment invitation, which is transmitted to the new employee (614) via email. At this time, the ledger also generates a partial credential and twenty UTK-LTK pairs, each of which are associated with the user metadata and stored in the ledger repository. Once the new employee (614) receives the enrollment invitation, the new employee follows instructions therein to obtain a credential application (602) from an app store (not shown) that provides apps for the new employee's smartphone (600). Once the new employee (614) obtains the credential application (602) and installs it on the new employee's smartphone (600), the new employee sends an indication (e.g., to the ledger via the credential application) that the new employee would like to accept the invitation) [Liebl, para0100-0102].
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify High in view of Eberwine with Liebl because it facilitates authentication of an employee to allow access to an employer’s resource: After the partial credential and UTKs are received by the credential application (602), the new employee (614) interacts with the credential application executing on the smartphone (600) to provide signatures corresponding to the various aforementioned factors of authentication associated with lab access [Liebl, para.0103]. 

Re Claim 19. High in view of Eberwine discloses the system of claim 18, High in view of Eberwine does not explicitly disclose whereas Liebl does: wherein the authentication device digital identification app setup 5is in response to an email sent as part of a human resources system guest setup process  (i.e. consider a scenario in which Technology Company (604) has hired a new employee (614). The new employee requires access to several laboratories in order to perform the new job. The laboratories may be accessed via a lab access door (616). Technology Company (604) acts as the resource control entity, controlling access to the resource which, in the present example, is a laboratory……………………………. In order to enroll the new employee in the user authentication process, Technology Company (604) sends an enrollment request, corresponding to the new employee (614), to a ledger (612) of a transaction authentication system (610). The enrollment request includes a user identifier and a user email address. The user identifier and user email address are stored in the ledger repository (not shown) as user metadata. In response to the enrollment request, the ledger (612) generates an enrollment invitation, which is transmitted to the new employee (614) via email. At this time, the ledger also generates a partial credential and twenty UTK-LTK pairs, each of which are associated with the user metadata and stored in the ledger repository. Once the new employee (614) receives the enrollment invitation, the new employee follows instructions therein to obtain a credential application (602) from an app store (not shown) that provides apps for the new employee's smartphone (600). Once the new employee (614) obtains the credential application (602) and installs it on the new employee's smartphone (600), the new employee sends an indication (e.g., to the ledger via the credential application) that the new employee would like to accept the invitation) [Liebl, para0100-0102].
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify High in view of Eberwine with Liebl because it facilitates authentication of an employee to allow access to an employer’s resource: After the partial credential and UTKs are received by the credential application (602), the new employee (614) interacts with the credential application executing on the smartphone (600) to provide signatures corresponding to the various aforementioned factors of authentication associated with lab access [Liebl, para.0103]. 



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434