DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 02/26/2021 has been considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 31, 33, 36 and 38 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 5 and 10-11 of USPN 10,972,290 (Appl. No: 16/931777). Although the claims at issue are not identical, they are not patentably distinct from each other. (see Claim-Comparison Table below for independent claim 31 of the instant application against Claim 1 of 10,972,290).
Claim
Application#17/187693
Claim
USPN # 10,972,290
31
A method for authenticating a user to a verifying party computer over a network, comprising: 
1
A method for authenticating a user to a verifying party computer over a network, comprising: 

generating a self-signed root certificate signed by a root private key on a user device;

generating a self-signed root user certificate signed by a root private key on a user device, wherein the signing of the self-signed root user certificate by the root private key occurs on the user device;

generating an intermediate private key from a secure enclave on the user device;

generating an intermediate private key in a secure enclave on the user device;

signing an intermediate certificate with the root private key; linking the intermediate certificate to the root certificate to form a certificate chain, the certificate chain including a public key corresponding to the intermediate private key;

signing an intermediate certificate with the root private key; linking the intermediate certificate to the self-signed user root certificate by way of signature to form a certificate chain, the certificate chain including a public key corresponding to the intermediate private key;

transmitting the certificate chain to the verifying party computer over the network;

transmitting the certificate chain to the verifying party computer over the network; 

transmitting user identification data to the verifying party computer for linking with the certificate chain;

transmitting user identification data to the verifying party computer for linking with the certificate chain; 

and transmitting the certificate chain to the verifying party computer in a subsequent communication to identify the user without the user identification data.  

and transmitting the certificate chain to the verifying party computer in a subsequent communication to identify the user without the user identification data.


Claims 33, 36 and 38 of the instant application is equivalent in scope with Claims 5 and 10-11 of USPN 10,972,290.


Claims 21, 23-26, 29-34 and 36-39 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 2-5, 9-12 and 15-17 of USPN 10,756,908 (Appl. No: 16/796021). Although the claims at issue are not identical, they are not patentably distinct from each other. They both involve generating a self-signed root certificate, generating an intermediate certificate, linking the certificates, and transmitting the certificates to a verifying party.

Claims 21-22, 25-26 and 29 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 and 7-9 of USPN 10,873,468 (Appl. No: 16/796211). Although the claims at issue are not identical, they are not patentably distinct from each other. They both involve generating a self-signed root certificate, generating an intermediate certificate, linking the certificates, and transmitting the certificates to a verifying party.

Claims 21, 25-26 and 29-30 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 and 5-7 of USPN 10,958,448 (Appl. No: 16/905854). Although the claims at issue are not identical, they are not patentably distinct from each other. They both involve generating a self-signed root certificate, generating an intermediate certificate, linking the certificates, and transmitting the certificates to a verifying party.

Claims 21-22, 25-26 and 29-30 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 and 7-9 of USPN 10,728,044 (Appl. No: 16/796107). Although the claims at issue are not identical, they are not patentably distinct from each other. They both involve generating a self-signed root certificate, generating an intermediate certificate, linking the certificates, and transmitting the certificates to a verifying party.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 29 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claim 29, the claim recites “recovering the root private key by connecting the external memory device to the user device”.  It is unclear to the examiner on what is meant by “connecting the external memory device”.  It is unclear what this limitation entails.  For example, is this a physical connection such as connecting a USB flash drive or is this a virtual connection such as connecting via the internet to a remote location, etc.?  For examination purposes in applying prior art the examiner interprets the limitation as a physical connection such as attaching an external storage (e.g. USB drive) to the user device.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21, 23-26 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Brown at al. US2013/0145151 hereinafter referred to as Brown, in view of Nitschke US2017/0054566, Hayes et al. USPN9,736,145 hereinafter referred to as Hayes, and Beloussov et al. USPN11,184,335 hereinafter referred to as Beloussov.
As per claim 21, Brown teaches a method for authenticating a user to a verifying party computer over a network, comprising: generating a self-signed root certificate signed by a root private key on a user device (Brown paragraph [0028], [0030], [0062], generating a self signed root certificate using a root private key); 
generating an intermediate private key on the user device (Brown paragraph [0036], generating short term private key); 
signing an intermediate certificate with the root private key (Brown paragraph [0037], creating derived certificate using long term private key); 
storing the intermediate private key on the user device (Brown paragraph [0036], [0065], stored short term private key).
Brown does not explicitly disclose generating private key in a secure enclave;
storing private key in the secure enclave;
linking intermediate certificate to root certificate by way of signature to form a certificate chain, the certificate chain including a public key corresponding to intermediate private key; 
transmitting the certificate chain to verifying party computer over network.
Nitschke teaches generating private key in a secure enclave (Nitschke paragraph [0095], private key generated and stored in TPM);
storing private key in the secure enclave (Nitschke paragraph [0095], private key generated and stored in TPM);
linking intermediate certificate to root certificate by way of signature to form a certificate chain, the certificate chain including a public key corresponding to intermediate private key (Nitschke Fig. 2, paragraph [0101], [0104], certificate chain with root certificate and intermediate certificate); 
transmitting the certificate chain to verifying party computer over network (Nitschke paragraph [0106], transferring certificates to checking computer).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown with the teachings of Nitschke to include generating and storing a key in a TPM and transmitting a certificate chain in order to provide secure generation and storage of the private key and user verification based on the certificate chain.
Brown in view of Nitschke does not explicitly disclose receiving, as an input to user device, user identification data, including at least one of a user name, user address, user email, user phone number, user tax ID, user social security number and user financial account number; 
using a certificate chain as a credential to transmit user verification data to a verifying party computer; 
storing the certificate chain in association with the user identification data in a database by the verifying party computer; 
receiving, at the verifying party computer, a subsequent communication from the user device including the certificate chain; and 
accessing the database by the verifying party computer with the certificate chain to retrieve the user identification data.  
Hayes teaches receiving, as an input to user device, user identification data, including at least one of a user name, user address, user email, user phone number, user tax ID, user social security number and user financial account number (Hayes col 9 lines 5-10, col 12 lines 45-50, receiving input such as CN or user name); 
using a certificate chain as a credential to transmit user verification data to a verifying party computer (Hayes col 9 lines 25-28, col 12 lines 40-50, col 12 lines 60-65, certificate chain used as credential to transmit user data); 
storing the certificate chain in association with the user identification data in a database by the verifying party computer (Hayes col 9 lines 20-25, col 12 lines 45-50, certificate chain is stored in association with the CN or user name); 
receiving, at the verifying party computer, a subsequent communication from the user device including the certificate chain (Hayes col 9 lines 35-45, col 11 lines 55-60, col 12 lines 1-5, receiving subsequent communication including certificate chain); and 
accessing the database by the verifying party computer with the certificate chain to retrieve the user identification data (Hayes col 9 lines 40-50, col 12 lines 5-12, col 12 lines 37-50, accessing database with the certificate chain to retrieve CN or user name).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke with the teachings of Hayes to include transmitting the user data and retrieving the user data based on a certificate chain in order to authenticate the user based on the certificate chain and user data.
Brown in view of Nitschke and Hayes does not explicitly disclose storing private key externally to user device.
Beloussov teaches storing private key externally to user device (Beloussov col 8 lines 59-65, col 9 lines 12-25, transmit and store private key at remote storage location).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke and Hayes with the teachings of Beloussov to include transmitting and storing private key to a secure remote location in order to provide a secure remote key storage for the root private key.

As per claim 23, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 wherein the self-signed root certificate is an X.509 certificate suitable for use with TLS (Brown paragraph [0030]-[0031], [0052], certificate).  

As per claim 24, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 further comprising verifying, by the verifying computer, with TLS that the certificate chain belongs to the user device (Brown paragraph [0050], [0052], verifying certificate with TLS; Nitschke paragraph [0101], certificate chain; Hayes col 10 lines 8-26, validating certificate with TLS).  

As per claim 25, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 further comprising: storing, by the user device, the intermediate private key in a signing application in a memory of the user device (Brown paragraph [0036], [0062], [0065], storing short term private key; Nitschke paragraph [0102], signing certificate with private key).  

As per claim 26, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 further comprising: storing, by the user device, the root private key in an external electronic device; and recovering the root private key from the external electronic device (Brown paragraph [0028], [0030], [0062], root private key; Beloussov col 8 lines 59-65, col 9 lines 12-25, col 12 lines 43-45, transmit and store private key at remote storage location.  recover private key from remote location).

As per claim 30, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21, wherein the step of storing the root private key externally to the user device further comprises: transmitting the root private key to a cloud-based credential recovery service server; and recovering the root private key from the cloud-based credential recovery service using at least one of a login, a password, or other user identifying information (Brown paragraph [0028], [0030], [0062], root private key; Beloussov col 8 lines 59-65, col 9 lines 12-25, col 12 lines 1-5, 20-36, 43-45, transmit and store private key at remote data center.  Authenticating user and recover private key from remote location).  

Claims 27-29 are rejected under 35 U.S.C. 103 as being unpatentable over Brown in view of Nitschke, Hayes, and Beloussov, and further in view of Patel et al. US2019/0230092 hereinafter referred to as Patel. 
As per claim 27, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21.
Brown in view of Nitschke, Hayes and Beloussov does not explicitly disclose wherein step of storing private key externally to user device further comprises encoding the private key as a visual code and printing the visual code, and further comprising: recovering the private key by scanning the visual code.  
Patel teaches wherein step of storing private key externally to user device further comprises encoding the private key as a visual code and printing the visual code, and further comprising: recovering the private key by scanning the visual code (Patel paragraph [0046], [0048]-[0049], [0052], [0056], private key is formatted as a QR code and printed on paper.  Scan QR code to recover private key).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke, Hayes and Beloussov with the teachings of Patel to include encoding and printing the private key in order to provide a hardcopy backup of the root private key.

As per claim 28, Brown in view of Nitschke, Hayes, Beloussov and Patel teaches the method of claim 27 wherein the visual code is a QR code (Patel paragraph [0046], [0048]-[0049], [0052], [0056], QR code).  

As per claim 29, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21, wherein the step of storing the root private key externally to the user device further comprises transferring the root private key to an external memory device (Brown paragraph [0028], [0030], [0062], root private key; Beloussov col 8 lines 59-65, col 9 lines 5-25, transmit and store private key at external device).
Brown in view of Nitschke, Hayes and Beloussov does not explicitly disclose further comprising: recovering root private key by connecting external memory device to user device.  
Patel teaches further comprising: recovering root private key by connecting external memory device to user device (Patel paragraph [0056], backing up private key to external storage such as a USB flash drive)(It would have been obvious to one of ordinary skill in the art that a user recovers the private key at a later point in time.  It would have been obvious to one of ordinary skill in the art that the USB flash drive is connected to the user device in order to recover/retrieve the back-up private key).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke, Hayes and Beloussov with the teachings of Patel to include storing/recovering private key in/from an external device such as USB drive in order to provide a backup copy of the root private key.

Allowable Subject Matter
Claim 22 would be allowable if a terminal disclaimer is timely filed to overcome the double patenting rejection set forth in this Office action, and if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claims 31-40 would be allowable if a terminal disclaimer is timely filed to overcome the double patenting rejection set forth in this Office action.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/             Primary Examiner, Art Unit 2495