DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application No. 17/094,609 filed on 11/10/2020.
As per the Preliminary Amendment filed on 11/23/2022, claims 1-12 and 17-19 are canceled; claims 13-16 and 20-35 have been added.  Claims 13-16 and 20-35 have been examined and are pending in this application.
Priority
Acknowledgment is made of Applicant’s claim for priority under 35 U.S.C. 120 to parent Application No. 16/044,350, filed on 07/24/2018 and Applicant’s claim for priority under 35 U.S.C. 119 (e) to Provisional Application No.: 62/536,227, filed on 07/24/2017.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 11/23/2020, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claim(s) 25 is objected to because of the following informalities:
Regarding Claim(s) 25, claim 25 does not end with a period. Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 13-16, 20-23, and 26-35 are rejected under 35 U.S.C. 103 as being unpatentable over Smith (US 2016/0269374) in view of Park et al. (US 2021/0152545; Hereinafter “Park”).
Regarding claim 13, Smith teaches a method, comprising: 
obtaining, at the local validation device, requests for credentials for a plurality of user devices (Smith: Para. [0046], In the illustrated example, a set of IoT devices 92 (92a-92e) includes a thermostat 92a, a temperature sensor 92b, a smoke alarm 92c, a window shade controller 92d and a light switch 92e. The IoT devices 92 may be formed into multiple different groups such as, for example, an “ITC” group, a “CAS” group, and so forth, wherein the groups have different resource exposure policies. In the illustrated example, a dynamic group verifier 94 (e.g., operating in the cloud domain) issues (e.g., “Operation 0”) a request to form the CAS group to a group management service 96 (e.g., operating in the local domain).); and 
distributing, from the local validation device, each of the credentials to its respective user device (Smith: Para. [0046], The group management service 96 may then provision (e.g., “Operation 1”, using a discovery service, multicast discovery protocol, etc.) a key (e.g., EPID.sub.pr1 . . . pr3) to each of the devices 92a, 92b, 92e as members of the CAS group. The group management service 96 may also publish (e.g., “Operation 2”) the group certificate (e.g., CertcAs) for the CAS group.).
Smith does not explicitly teach receiving, at a local validation device, a local enforcement policy over a network and from a certificate authority remotely located from the local validation device; obtaining, with the local validation device, the credentials in compliance with the local enforcement policy.  
In an analogous art, Park teaches receiving, at a local validation device, a local enforcement policy over a network and from a certificate authority remotely located from the local validation device (Park: Para. [0044], The authentication server 150 may be a server device including at least one computing device which serves as a certification authority. Para. [0046], The authentication server 150 may generate a certificate including partial information of the certificate generation request signal. In an exemplary embodiment of the present disclosure, the certificate may include the device ID, the UID, a random number, a transaction ID, a valid time, a valid number of times, an access control policy, and an encryption algorithm. [authentication server 150 may act as certification authority and generate access control policy] Para. [0073], The authentication server 150 may transmit the generated certificate to the authentication center 140 (410). Accordingly, the authentication center 140 may transmit the certificate to the IoT service 170 (412). In an exemplary embodiment of the present disclosure, the authentication server 150 may transmit the generated certificate to the IoT service 170 through the authentication center 140 and the cloud 160.); 
obtaining, with the local validation device, the credentials in compliance with the local enforcement policy (Park: Para. [0064], The authentication server 150 may transmit the generated certificate to the IoT device 110 (312). In an exemplary embodiment of the present disclosure, the authentication server 150 may transmit the generated certificate to the IoT device 110 through the authentication center 140 and the cloud 160. Para. [0036], Although the single IoT device 110 is shown in FIG. 1 for convenience of description, the number of IoT devices 110 is not limited thereto, and two or more IoT devices 110 may be connected to the cloud 160 or the gateway 130. Para. [0046], [0044])
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Park with the system and method of Smith to include receiving, at a local validation device, a local enforcement policy over a network and from a certificate authority remotely located from the local validation device; obtaining, with the local validation device, the credentials in compliance with the local enforcement policy because this functionality provides for provisioning of device credentials (Park: Para. [0014]).
Regarding claim 14, Smith, in combination with Park, teaches the method of claim 13, wherein obtaining, with the local validation device, the credentials in compliance with the local enforcement policy comprises: receiving, from each of the user devices, a device identifier; and comparing each of the device identifiers with the local enforcement policy to verify that each of the device identifiers is valid (Park: Para. [0044], The authentication server 150 may verify the public key and the device ID included in the certificate generation request received from the IoT device 110 or the authentication center 140. For example, when the IoT device 110 is onboarded on the cloud 160, corresponding device information (e.g., a device ID) may be registered in the cloud 160. Therefore, the authentication server 150 may receive the device information including the previously registered device ID from the cloud 160. The authentication server 150 may verify the validity of a corresponding device by comparing the device ID received from the cloud 160 and the device ID included in the certificate generation request received from the authentication center 140. Also, the authentication server 150 may verify the public key included in the certificate generation request through verification of the device ID.).
Regarding claim 15, Smith, in combination with Park, teaches the method of claim 13, wherein obtaining the requests for credentials comprises receiving, from each of the user devices, a device identifier (Park: Para. [0044], The authentication server 150 may verify the public key and the device ID included in the certificate generation request received from the IoT device 110 or the authentication center 140. Smith: Para. [0019], In one example, the method 22 also provides for identifying a third key on the device at block 31, wherein the third key is an enhanced privacy identifier (EPID). In general, the manufacturer of at least a portion of the device may store (e.g., in field programmable fuses or other write-once memory) the EPID to a trusted execution environment (TEE) on the device during fabrication of the device or its components (e.g., processor, controller, chipset). Para. ).
Regarding claim 16, Smith, in combination with Park, teaches the method of claim 13, further comprising validating the local enforcement policy by verifying that the local enforcement policy was signed by the certificate authority (Park: Para. [0047], Also, the authentication server 150 may generate a signed certificate by signing the generated certificate. The certificate generated by the authentication server 150 may be copied. To prevent this, the authentication server 150 may prove that the certificate has been generated by the authentication server 150 by signing the certificate.).
Regarding claim 20, Smith, in combination with Park, teaches the method of Claim 13, wherein each of the credential requests includes a respective one of the device identifiers and additional information (Park: Para. [0044], The authentication server 150 may verify the public key and the device ID included in the certificate generation request received from the IoT device 110 or the authentication center 140.).
Regarding claim 21, Smith, in combination with Park, teaches the method of Claim 13, wherein each of the credentials comprises a signed digital certificate (Smith: Para. [0046], The group management service 96 may then provision (e.g., “Operation 1”, using a discovery service, multicast discovery protocol, etc.) a key (e.g., EPID.sub.pr1 . . . pr3) to each of the devices 92a, 92b, 92e as members of the CAS group. The group management service 96 may also publish (e.g., “Operation 2”) the group certificate (e.g., CertcAs) for the CAS group.).
Regarding claim 22, Smith, in combination with Park, teaches the method of Claim 13, further comprising: receiving, at the local validation device, a second local enforcement policy over the network and from the certificate authority; and identifying the local enforcement policy based on the credentials (Park: Para. [0044], The authentication server 150 may be a server device including at least one computing device which serves as a certification authority. Para. [0046], The authentication server 150 may generate a certificate including partial information of the certificate generation request signal. In an exemplary embodiment of the present disclosure, the certificate may include the device ID, the UID, a random number, a transaction ID, a valid time, a valid number of times, an access control policy, and an encryption algorithm. [authentication server 150 may act as certification authority and generate access control policy] Para. [0073], The authentication server 150 may transmit the generated certificate to the authentication center 140 (410). Accordingly, the authentication center 140 may transmit the certificate to the IoT service 170 (412). In an exemplary embodiment of the present disclosure, the authentication server 150 may transmit the generated certificate to the IoT service 170 through the authentication center 140 and the cloud 160.); wherein obtaining the credentials in compliance with the local enforcement policy is based at least in part on identifying the local enforcement policy based on the credentials (Park: Para. [0064], The authentication server 150 may transmit the generated certificate to the IoT device 110 (312). In an exemplary embodiment of the present disclosure, the authentication server 150 may transmit the generated certificate to the IoT device 110 through the authentication center 140 and the cloud 160. Para. [0036], Although the single IoT device 110 is shown in FIG. 1 for convenience of description, the number of IoT devices 110 is not limited thereto, and two or more IoT devices 110 may be connected to the cloud 160 or the gateway 130. Para. [0046], [0044]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Park with the system and method of Smith to include further comprising: receiving, at the local validation device, a second local enforcement policy over the network and from the certificate authority because a second local enforcement policy appears to be the mere duplication of policy generation, which does not provide any patentable significance via a new and unexpected result. The duplication of generating a second policy by a certificate authority and then sending the second policy to a local validation device would have been obvious to a person having ordinary skill in the art in view of the teachings of Park that illustrates and describes generation of a certificate that includes policy information and transmission of the policy information through the cloud to an authentication center or IoT device in paragraph [0064]. Although Park does not explicitly teach generating a second policy by a certificate authority and then sending the second policy to a local validation device, the mere duplication of generating a second policy appears to have no patentable significance unless a new and unexpected result is produced (In re Harza, 274 F.2d 669, 124 USPQ 378 (CCPA 1960)) (See MPEP 2144.04 VI. B. [R-10.2019]).
Regarding claim 23, Smith, in combination with Park, teaches the method of Claim 13, further comprising: requesting the local enforcement policy from the certificate authority (Park: Para. [0041], The IoT device 110 may transmit a certificate generation request including the public key generated by the security module 120 and a device ID to the authentication center 140 through the cloud 160. Para. [0042], The authentication center 140 may be a server device including at least one computing device which serves as an authentication authority. The authentication center 140 may transmit the certificate generation request including the public key and the device ID received from the IoT device 110 to the authentication server 150.).
Regarding claim 26, Smith, in combination with Park, teaches the method of Claim 13, further comprising: determining the local enforcement policy is signed by the certificate authority (Park: Para. [0047], Also, the authentication server 150 may generate a signed certificate by signing the generated certificate.); and based at least in part on determining the local enforcement policy is signed by the certificate authority, validating the local enforcement policy (Park: Para. [0047], Also, the authentication server 150 may generate a signed certificate by signing the generated certificate. The certificate generated by the authentication server 150 may be copied. To prevent this, the authentication server 150 may prove that the certificate has been generated by the authentication server 150 by signing the certificate.).
Regarding claims 27-30, Claims 27-30 are rejected under the same rational as claims 13-16, respectively.
Regarding claims 31-33, Claims 31-33 are rejected under the same rational as claims 20-22, respectively.
Regarding claims 34-35, Claims 34-35 are rejected under the same rational as claims 13-14, respectively.

Claim(s) 24 is rejected under 35 U.S.C. 103 as being unpatentable over Smith (US 2016/0269374) in view of Park et al. (US 2021/0152545; Hereinafter “Park”) in view of Zumbik (US 2015/0381374).
Regarding claim 24, Smith, in combination with Park, teaches the method of Claim 13.  Smith, in combination with Park, does not explicitly teach wherein the certificate authority comprises a master validation device.  
In an analogous art, Zumbik teaches wherein the certificate authority comprises a master validation device (Zumbik: Para. [0047], Alternatively, the group of CAs can comprise one master CA and further CAs which are subordinate to the master CA. The master CA may control the subordinate CAs and may form the controlling instance of the controlling CA. The master CA can change over time.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Zumbik with the system and method of Smith and Park to include wherein the certificate authority comprises a master validation device because this functionality provides for hierarchical handling of certificate authorities and digital certificate management (Zumbik: Para. [0033]).

Claim(s) 25 is rejected under 35 U.S.C. 103 as being unpatentable over Smith (US 2016/0269374) in view of Park et al. (US 2021/0152545; Hereinafter “Park”) in view of Loladia et al. (US 10,447,683; Hereinafter “Loladia”).
Regarding claim 25, Smith, in combination with Park, teaches the method of Claim 13.  Smith, in combination with Park, does not explicitly teach further comprising: receiving, at the local validation device, a validation of the local validation device by the certificate authority; wherein receiving the local enforcement policy is based at least in part on the validation of the local validation device by the certificate authority. 
In an analogous art, Loladia teaches further comprising: receiving, at the local validation device, a validation of the local validation device by the certificate authority; wherein receiving the local enforcement policy is based at least in part on the validation of the local validation device by the certificate authority (Loladia: Col. 8, Lines 31-40, The CA 238 confirms that the information provided in the CSR (e.g., public key information) is valid. The CA 238 may issue a generated digital certificate to the requesting IoT device. Further, doing so may trigger a function to be invoked (e.g., via the event-driven computing service 121) that causes the provisioning service 236 to associate the digital certificate with the IoT device on the cloud computing platform 115, e.g., on the registry 230.)
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Loladia with the system and method of Smith and Park to include further comprising: receiving, at the local validation device, a validation of the local validation device by the certificate authority; wherein receiving the local enforcement policy is based at least in part on the validation of the local validation device by the certificate authority because this functionality provides for provisioning of credentials to IoT deices that are device specific and associated with a registry of the IoT Service (Loladia: Col. 1, Lines 7-10).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached at (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/NELSON S. GIDDINS/            Primary Examiner, Art Unit 2437