DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claims 1, 9 and 10 are objected to because of the following informalities:  they recite or essentially recite “to sign the sub-certificate with the root certificate of the at least one machine”.  A root certificate cannot sign the sub-certificate; only the private key corresponding to the public key contained in the root certificate can sign the sub-certificate.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-10 are rejected under 35 U.S.C. 103 as being unpatentable over Rooyakkers (US 2015/0046701), and further in view of Loreskar (US 2019/0074980).

Regarding claims 1 and 10, Rooyakkers teaches A system (The secure industrial control system 100, see [0035] and Fig. 1), comprising:
at least one machine (see [0035] and Fig. 1: “The secure industrial control system 100 includes … the industrial elements of the industrial control system 100 (e.g., of the control and I/O subsystem 102)”. And see [0019]: “the industrial control system 100 includes a control and input/output (I/O) sub-system 102, as shown in FIGS. 1 and 5”. The Examiner interprets the control and input/output (I/O) subsystem 102 as at least one machine) including at least one device (see [0019] and FIGS. 1, 3: “The control and I/O sub-system 102 includes a plurality of industrial elements such as devices 104. In embodiments, the devices 104 may comprise one or more communications control modules (CCM) 106, and/or one or more input/output modules (IOM) 108”. The Examiner interpret an industrial element such as a device 104 included in the control and I/O sub-system 102 as at least one device included in at least one machine) configured to exchange data with another device of the at least one machine (see [0039] and Fig. 1: “During authentication of an industrial element of the industrial control system 100, when a determination is made that an industrial element being authenticated was manufactured or supplied by an entity that is different than the OEM of one or more other industrial elements of the industrial control system 100, then the functionality of that industrial element may be at least partially disabled within the industrial control system 100. For example, limitations may be placed upon communication (e.g., data transfer) between that industrial element and other industrial elements of the industrial control system 100, such that the industrial element may not work/function within the industrial control system 100”. The Examiner interprets “communication (e.g., data transfer) between that industrial element and other industrial elements of the industrial control system 100” as at least one device configured to exchange data with another device of the at least one machine) or of another machine for a joint solution of a task or with a higher-level device; and
a certification device configured to (see [0035] and Fig. 1: “The secure industrial control system 100 includes a security credential source 101, a security credential implementer 103, and the industrial elements of the industrial control system 100 (e.g., of the control and I/O subsystem 102). …The security credential source 101 is configured to generate unique security credentials (e.g., keys, certificates, etc.). The security credential implementer 103 is configured to provision the industrial elements with the unique security credential generated by the security credential source 101”. And see [0041] and Fig. 4: “the secure industrial control system 100 includes a key management entity (e.g., key management system 130)…. the key management system 130 is configured to serve as a security credentials source, generating unique security credentials (e.g., public security credentials, secret security credentials) for the industrial elements of the industrial control system 100”. And see [0043] and Fig. 5: “The secure industrial control system 100 may further include one or more manufacturing entities (e.g., factories) 136…. The key management entity 130 can utilize the communications pipeline for provisioning the industrial elements with security credentials (e.g., inserting keys, certificates and/or identification numbers into the industrial elements) at the point of manufacture”.  The Examiner interprets the security credential source 101/ key management system 130 that provisions the industrial element (the at least one device of the machine) with a certificate as a certification device configured to grant a certificate to the at least one device of the machine).

Rooyakkers fails to teach that the certification device is configured to identify the at least one machine with a root certificate of the at least one machine. Rooyakkers also fails to teach that the certificate granted by the certification device to the at least one device of the machine is a sub-certificate. In addition, Rooyakkers fails to teach wherein the certification device is further configured (i) to sign the sub-certificate with the root certificate  of the at least one machine in order to identify the at least one device as belonging to the at least one machine, and (ii) to issue the sub-certificate biuniquely for the at least one device.

In the same field of endeavor, Loreskar teaches A system (see [0036] and Fig. 1: “a system 2 comprising a number of electronic devices 4 and an enrolment device 6”. The Examiner interprets the system 2 as A system), comprising: 
at least one machine (enrollment device 6, see [0041] and Fig. 1) (see [0036] and Fig. 1: “The electronic devices 4 may be Internet of Things (IoT) type devices”) configured to exchange data with another device of the at least one machine or of another machine for a joint solution of a task or with a higher-level device (see [0036] and Fig. 1: “a service provider server 12 associated with some cloud service, such as a banking or health care service”. The Examiner interprets a service provider server 12 as a higher-level device. And see [0036] and Fig. 1: “The enrolment device 6 may also be in communication with various remote servers 10, 12, such as a certificate storing server 10 for storing certificates associated with a public key infrastructure, or a service provider server 12 associated with some cloud service, such as a banking or health care service. Although not shown in FIG. 1, in some examples the IoT devices 4 could also communicate with the remote servers 10, 12 directly”. The Examiner interprets the enrollment device 6 and the IoT device 4 communicating with the service provider server 12 as at least one machine ); and 
a certification device (see abstract and Fig. 1: “The enrolling comprises generating an electronic device certificate 30-I for the chain of trust using the public key 32 obtained from the electronic device. The enrolling is performed at an enrolment device 6 separate from the electronic device 4”. The Examiner interprets the  enrollment device 6 as a certification device because it provides a certificate for the IoT electronic device 4) configured to identify the at least one machine with a root certificate of the at least one machine and to grant a sub-certificate to the at least one device (see [0041] and Figs. 1, 4: “The present technique extends the chain of trust so that a certificate 30-I for an IoT device 4 is created as a descendant of a device certificate 30-D associated with an enrolment device 6 which manages to the enrolment processes for enrolling the IoT device in to the chain of trust”. The Examiner interprets a device certificate 30-D associated with an enrolment device 6 (at least one machine) as a root certificate of the at least one machine. The Examiner further interprets a certificate 30-I for an IoT device 4 (at least one device) created as a descendant of a device certificate 30-D associated with an enrolment device 6 as a sub-certificate to the at least one device . Also see [0008]-[0012]), 
wherein the certification device is further configured (i) to sign the sub-certificate with the root certificate of the at least one machine (see [0024] and Fig. 4: “the electronic device certificate may be a direct child certificate of the enrolment device certificate. Hence, the electronic device certificate may be signed with a private key associated with the enrolment device, which a third party can verify as valid using the enrolment device certificate which may specify the corresponding public key”) in order to identify the at least one device as belonging to the at least one machine (see [0045]: “the electronic device certificate for the IoT device 4 may specify an issuer identifier identifying the parent which issued the certificate (which could be the enrolment device 6 or a trusted application), so that a verifier can verify the signature on the IoT device certificate by obtaining the corresponding parent certificate”. And see [0031]: “The electronic device certificate may comprise metadata indicative of the circumstances in which the electronic device certificate was generated. For example, the metadata could include at least one of: …the enrolment device associated with generation of the electronic device certificate”. And see [0043]: “In addition to the public key 32, the IoT device certificate 30-I may include metadata 38 which may indicate other information about the way in which the IoT device certificate was generated. For example the metadata … could indicate …the enrolment device which is associated with generation of the electronic device certificate”), and (ii) to issue the sub-certificate biuniquely for the at least one device (see [0041] and Fig. 4: “The present technique extends the chain of trust so that a certificate 30-I for an IoT device 4 is created”).

Both Rooyakkers and Loreskar teach at least one machine and at least one device. In addition, both Rooyakkers and Loreskar teach granting a certificate to the at least one device. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by further configuring the certification device: 1) to identify the at least one machine with a root certificate of the at least one machine; 2) to let the certificate granted to the at least one device of the machine be a sub-certificate; 3) to sign the sub-certificate with the root certificate  of the at least one machine in order to identify the at least one device as belonging to the at least one machine, and 4) to issue the sub-certificate biuniquely for the at least one device; as taught by Loreskar. It would have been obvious because Loreskar teaches that doing so achieves the following benefit: “By enrolling the electronic device into the chain of trust as a descendant of the enrolment device certificate, rather than as a descendant of the certificate associated with a manufacturer or certifying authority, this enables the certificate to be generated when the electronic device is already in the field in the hands of an end user, for example, rather than requiring it to be done at the time of manufacture, thus reducing the cost of the manufacturing process and the device itself” (see Loreskar [0022]).

Regarding claim 2, Rooyakkers fails to teach wherein: the certification device has a private key containing a public key, and the certification device is configured to use the private key for signing the root certificate for the at least one machine.
In the same field of endeavor, Loreskar teaches wherein: a (emphasis added to show the difference between the reference and the claim) certification device (see [0040]and Fig. 4: “The root certifying authority associated with the root certificate 30-R may attest as valid a number of child certificates 30-M, for example corresponding to particular manufacturers of electronic devices (OEMs). Each OEM may then certify as valid particular electronic devices who may have their own certificates 30-D generated as children of the OEM certificates within the chain of trust”. The Examiner interprets the particular manufacturer of electronic devices (OEM) as a certification device because “Each OEM may then certify as valid particular electronic devices who may have their own certificates 30-D generated as children of the OEM certificates”) has a private key containing a public key (see [0040] and Fig. 4: “FIG. 4 shows an example of a chain of trust provided by a public key infrastructure. The public key infrastructure is represented by a hierarchy of certificates 30 which can be used for verifying the source of messages. Each certificate 30 comprises a public key 32 which corresponds to a private key 34 held by the corresponding source to be attributed….The root certifying authority associated with the root certificate 30-R may attest as valid a number of child certificates 30-M, for example corresponding to particular manufacturers of electronic devices (OEMs)”. The Examiner interprets the private key 34 corresponding to the public key 32 in the OEM certificate 30-M of the manufacturer of electronic devices (OEM) in Fig. 4 as wherein: the certification device has a private key containing a public key), and the certification device is configured to use the private key for signing the root certificate for the at least one machine (see [0040] and Fig. 4: “Each OEM may then certify as valid particular electronic devices who may have their own certificates 30-D generated as children of the OEM certificates within the chain of trust”. And see [0024] and Fig. 4: “the electronic device certificate may be a direct child certificate of the enrolment device certificate. Hence, the electronic device certificate may be signed with a private key associated with the enrolment device, which a third party can verify as valid using the enrolment device certificate which may specify the corresponding public key”. The Examiner interprets the OEM (the certification device) signing a certificate 30-D for the enrollment device 6 (the root certificate for the at least one machine) using the private key corresponding to the public key 32 in the OEM certificate 30-M as the certification device is configured to use the private key for signing the root certificate for the at least one machine). 
Both Rooyakkers and Loreskar teach a certification device. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by letting the certification device of Rooyakkers have a private key containing a public key, and configuring the certification device of Rooyakkers to use the private key for signing the root certificate for the at least one machine, as taught by Loreskar. It would have been obvious because doing so predictably achieves the benefit of generating the root certificate for the at least one machine. 

Regarding claim 3, Rooyakkers fails to teach wherein: the at least one device has a private key containing a public key, the at least one device is configured to send the public key to the certification device so that the certification device issues the sub-certificate, and the certification device is configured to sign the public key of the at least one device with the root certificate of the at least one machine in order to issue the sub-certificate for the at least one device.
In the same field of endeavor, Loreskar teaches wherein: the at least one device has a private key containing a public key (see [0043]: “The public key 32 and private key 34 associated with the IoT device certificate 30-I could be pre-existing keys 24 which were injected into the device during manufacture, or could be keys which have been provided to the device or generated within the device subsequently during a post processing step”. The Examiner interprets the IoT device as the at least one device), 
the at least one device is configured to send the public key to the certification device so that the certification device issues the sub-certificate (see [0021]: “These issues can be addressed by providing a method for post-manufacture certificate generation for an electronic device, in which a public key is obtained from the electronic device at an enrolment device which is separate from the electronic device, and the enrolment device performs the enrolling of the electronic device into a chain of trust provided by a public key infrastructure. …. The enrolling performed by the enrolment device includes generating an electronic device certificate for the chain of trust using the public key obtained from the electronic device. In the chain of trust, the electronic device certificate is a descendant certificate of an enrolment device certificate associated with the enrolment device”. The Examiner interprets the enrollment device 6 as the certification device because it generates an IoT electronic device certificate), and 
the certification device is configured to sign the public key of the at least one device with the root certificate of the at least one machine in order to issue the sub-certificate for the at least one device (see 0021]: “The enrolling performed by the enrolment device includes generating an electronic device certificate for the chain of trust using the public key obtained from the electronic device. In the chain of trust, the electronic device certificate is a descendant certificate of an enrolment device certificate associated with the enrolment device”. And see [0024] and Fig. 4: “the electronic device certificate may be a direct child certificate of the enrolment device certificate. Hence, the electronic device certificate may be signed with a private key associated with the enrolment device, which a third party can verify as valid using the enrolment device certificate which may specify the corresponding public key”).
Both Rooyakkers and Loreskar teach a certification device. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by letting the at least one device of Rooyakkers have a private key containing a public key and send the public key to the certification device so that the certification device issues the sub-certificate, as taught by Loreskar. In addition, before the effective filing date of the claimed invention, it would also have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by configuring the certification device of Rooyakkers to sign the public key of the at least one device with the root certificate of the at least one machine in order to issue the sub-certificate for the at least one device, as taught by Loreskar. It would have been obvious because doing so predictably achieves the benefit of generating the sub-certificate for the at least one device. 

Regarding claim 4, Rooyakkers further teaches wherein a first device of the at least one device is a control device, and a second device of the at least one device is a drive device, a tool, or a transport device (see [0016]: “the industrial elements may include a control module (e.g., communications control module) and an input/output module”. And see [0019] and Fig. 5: “The control and I/O sub-system 102 includes a plurality of industrial elements such as devices 104. In embodiments, the devices 104 may comprise one or more communications control modules (CCM) 106, and/or one or more input/output modules (IOM) 108”. The Examiner interprets communications control modules (CCM) 106 as wherein a first device of the at least one device is a control device. And see [0022] and Fig. 5: “The input/output modules 108, when configured as output modules, can be used to transmit instructions to output instruments of the field devices 112. For example, the field devices 112 may include an output instrument, such as a motor… the input/output modules 108 may be connected to the motor and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque, and so forth”. The Examiner interprets input/output modules 108 controlling operating characteristics of a motor as a second device of the at least one device is a drive device).

Regarding claim 5, Rooyakkers further teaches wherein the at least one device of the machine is configured, during an exchange of the data with the other device of the machine or of the other machine or of the higher-level device, to permit the exchange of the data only when the data are provided with the (see [0036]: “Communication between one or more of the components and/or physical interconnect devices (e.g., cable assemblies) of the industrial control system 100 may include an authentication process. The authentication process may be performed for authenticating a component and/or physical interconnect device implemented in the industrial control system 100. In implementations, the authentication process may utilize security credentials associated with the component and/or physical interconnect device for authenticating that component and/or physical interconnect device. For example, the security credentials may include encryption keys, certificates (e.g., public key certificates, digital certificates, identity certificates, security certificates, asymmetric certificates, standard certificates, non-standard certificates) and/or identification numbers”. And see [0038]: “Based upon the results of the authentication process, the industrial element being authenticated may be activated, partial functionality of the industrial element may be enabled or disabled within the industrial control system 100, complete functionality of the industrial element may be enabled within the industrial control system 100, and/or functionality of the industrial element within the industrial control system 100 may be completely disabled (e.g., no communication between that industrial element and other industrial elements of the industrial control system 100”. The Examiner interprets “no communication between that industrial element and other industrial elements of the industrial control system 100” when authentication based on a certificate associated with the industrial element (the at least one device of the machine) fails as wherein the at least one device of the machine is configured, during an exchange of the data with the other device of the machine, to permit the exchange of the data only when the data are provided with the certificate), 
Rooyakkers fails to teach that the certificate associated with the at least one device of the machine is a sub-certificate, which is signed with the root certificate.
In the same field of endeavor, Loreskar teaches that the certificate associated with the at least one device is a sub-certificate (see [0041] and Figs. 1, 4: “The present technique extends the chain of trust so that a certificate 30-I for an IoT device 4 is created as a descendant of a device certificate 30-D associated with an enrolment device 6 which manages to the enrolment processes for enrolling the IoT device in to the chain of trust”. The Examiner interprets a certificate 30-I for an IoT device 4 (at least one device) created as a descendant of a device certificate 30-D associated with an enrolment device 6 as a sub-certificate), 
which is signed with the root certificate (see [0024] and Fig. 4: “the electronic device certificate may be a direct child certificate of the enrolment device certificate. Hence, the electronic device certificate may be signed with a private key associated with the enrolment device, which a third party can verify as valid using the enrolment device certificate which may specify the corresponding public key”. And see [0040] and Fig. 4: “FIG. 4 shows an example of a chain of trust provided by a public key infrastructure. The public key infrastructure is represented by a hierarchy of certificates 30 which can be used for verifying the source of messages. Each certificate 30 comprises a public key 32 which corresponds to a private key 34 held by the corresponding source to be attributed”. The Examiner interprets a device certificate 30-D associated with an enrolment device 6 as the root certificate. The Examiner further interprets the IoT electronic device certificate 30-I (a descendant of a device certificate 30-D), which “may be signed with a private key associated with the enrolment device” (see [0024]), wherein the private key associated with the enrolment device corresponds to the public key contained in the device certificate 30-D associated with an enrolment device 6 (the root certificate), as the sub-certificate, which is signed with the root certificate).
Both Rooyakkers and Loreskar teach issuing a certificate to the at least one device. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by letting the certificate issued to the at least one device of the machine taught by Rooyakkers be a sub-certificate, which is signed with the root certificate; as taught by Loreskar. It would have been obvious because Loreskar teaches that doing so achieves the following benefit: “By enrolling the electronic device into the chain of trust as a descendant of the enrolment device certificate, rather than as a descendant of the certificate associated with a manufacturer or certifying authority, this enables the certificate to be generated when the electronic device is already in the field in the hands of an end user, for example, rather than requiring it to be done at the time of manufacture, thus reducing the cost of the manufacturing process and the device itself” (see Loreskar [0022]). 
When Rooyakkers is modified in view of Loreskar as described above, it would teach wherein the at least one device of the machine is configured, during an exchange of the data with the other device of the machine or of the other machine or of the higher-level device, to permit the exchange of the data only when the data are provided with the sub-certificate, which is signed with the root certificate, as recited in claim 5.

Regarding claim 6, Rooyakkers further teaches wherein the data are operating state data or comprise a control command of the at least one device (see [0026] and Fig. 5: “The communications links 114 may be coupled with one or more communications control modules 106, which can be used as master devices for monitoring and controlling the input/output modules 108, and for connecting the input/output modules 108 together”. And see [0021] and Fig. 5: “One or more input/output modules 108 are connected to (e.g., communicatively coupled with) the one or more field devices 112. The one or more input/output modules 108 may comprise input modules and/or output modules (e.g., may be configured for receiving inputs and/or providing outputs). The one or more field devices 112 may include an input instrument, such as a sensor, which may be used for functions such as measuring pressure in piping for a gas plant, a refinery, and so forth”. The Examiner interprets “pressure in piping for a gas plant, a refinery” as operating state data. And see [0022] and Fig. 5: “The input/output modules 108, when configured as output modules, can be used to transmit instructions to output instruments of the field devices 112. For example, the field devices 112 may include an output instrument, such as a motor. In such implementations, the input/output modules 108 may be connected to the motor and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque, and so forth”. The Examiner interprets “the input/output modules 108 may be connected to the motor and configured to control one or more operating characteristics of the motor” as wherein the data… comprise a control command of the at least one device).

Regarding claim 7, Rooyakkers further teaches wherein the data comprise parameters for controlling a drive of at least one element of the at least one machine (see [0022] and Fig. 5: “The input/output modules 108, when configured as output modules, can be used to transmit instructions to output instruments of the field devices 112. For example, the field devices 112 may include an output instrument, such as a motor. In such implementations, the input/output modules 108 may be connected to the motor and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque, and so forth”. The Examiner interprets “the input/output modules 108 may be connected to the motor and configured to control one or more operating characteristics of the motor, such as motor speed, motor torque” as wherein the data comprise parameters for controlling a drive of at least one element of the at least one machine), and/or the data comprise an IP address and/or a name of the at least one device.

Regarding claim 8, Rooyakkers fails to teach a further device arranged externally to the at least one machine and configured to store the root certificate of the at least one machine, and to check the data received from the at least one device of the at least one machine for trustworthiness using the root certificate of the at least one machine.
In the same field of endeavor, Loreskar teaches a further device arranged externally to the at least one machine and configured to store the root certificate of the at least one machine (see [0036] and Fig. 1: “The enrolment device 6 may also be in communication with various remote servers 10, 12, such as a certificate storing server 10 for storing certificates associated with a public key infrastructure”. And see [0040] and Fig. 4: “FIG. 4 shows an example of a chain of trust provided by a public key infrastructure. The public key infrastructure is represented by a hierarchy of certificates 30 which can be used for verifying the source of messages….Each OEM may then certify as valid particular electronic devices who may have their own certificates 30-D generated as children of the OEM certificates within the chain of trust”. The Examiner interprets the certificate storing server 10 storing the enrolment device certificate 30-D associated with the enrolment device 6 as a further device arranged externally to the at least one machine and configured to store the root certificate of the at least one machine), and to check the data received from the at least one device of the at least one machine for trustworthiness using the root certificate of the at least one machine (see [0040]: “the chain of trust provides a tree of certificates, where a child certificate is attested as valid by an attestor associated with a parent certificate in the chain of trust”. And see abstract: “The electronic device certificate 30-I is a descendant certificate of the enrolment device certificate 30-D associated with the enrolment device 6”. The Examiner interprets attesting the IoT electronic device certificate 30-I, which is a descendant/child certificate of the enrolment device certificate 30-D associated with the enrolment device 6, using the parent certificate (the enrolment device certificate 30-D or the root certificate of the at least one machine) taught in [0040], as to check the data received from the at least one device of the at least one machine for trustworthiness using the root certificate of the at least one machine).
Both Rooyakkers and Loreskar teach issuing a certificate to the at least one device. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by adding a further device arranged externally to the at least one machine and configured to store the root certificate of the at least one machine, and to check the data received from the at least one device of the at least one machine for trustworthiness using the root certificate of the at least one machine; as taught by Loreskar. It would have been obvious because Loreskar teaches that doing so achieves the following benefit: “By enrolling the electronic device into the chain of trust as a descendant of the enrolment device certificate, rather than as a descendant of the certificate associated with a manufacturer or certifying authority, this enables the certificate to be generated when the electronic device is already in the field in the hands of an end user, for example, rather than requiring it to be done at the time of manufacture, thus reducing the cost of the manufacturing process and the device itself” (see Loreskar [0022]). 

Regarding claim 9, Rooyakkers teaches A machine (see [0035] and Fig. 1: “The secure industrial control system 100 includes … the industrial elements of the industrial control system 100 (e.g., of the control and I/O subsystem 102)”. And see [0019]: “the industrial control system 100 includes a control and input/output (I/O) sub-system 102, as shown in FIGS. 1 and 5”. The Examiner interprets the control and input/output (I/O) subsystem 102 as A machine), comprising: 
at least one device (see [0019] and FIGS. 1, 3: “The control and I/O sub-system 102 includes a plurality of industrial elements such as devices 104. In embodiments, the devices 104 may comprise one or more communications control modules (CCM) 106, and/or one or more input/output modules (IOM) 108”. The Examiner interpret an industrial element such as a device 104 included in the control and I/O sub-system 102 as at least one device included in A machine) configured to exchange data with another device of the machine (see [0039] and Fig. 1: “During authentication of an industrial element of the industrial control system 100, when a determination is made that an industrial element being authenticated was manufactured or supplied by an entity that is different than the OEM of one or more other industrial elements of the industrial control system 100, then the functionality of that industrial element may be at least partially disabled within the industrial control system 100. For example, limitations may be placed upon communication (e.g., data transfer) between that industrial element and other industrial elements of the industrial control system 100, such that the industrial element may not work/function within the industrial control system 100”. The Examiner interprets “communication (e.g., data transfer) between that industrial element and other industrial elements of the industrial control system 100” as at least one device configured to exchange data with another device of the at least one machine) or another machine for a joint solution of a task or with a higher-level device.

Rooyakkers further teaches a certification device configured (i) to issue a (see [0035] and Fig. 1: “The secure industrial control system 100 includes a security credential source 101, a security credential implementer 103, and the industrial elements of the industrial control system 100 (e.g., of the control and I/O subsystem 102). …The security credential source 101 is configured to generate unique security credentials (e.g., keys, certificates, etc.). The security credential implementer 103 is configured to provision the industrial elements with the unique security credential generated by the security credential source 101”. And see [0041] and Fig. 4: “the secure industrial control system 100 includes a key management entity (e.g., key management system 130)…. the key management system 130 is configured to serve as a security credentials source, generating unique security credentials (e.g., public security credentials, secret security credentials) for the industrial elements of the industrial control system 100”. And see [0043] and Fig. 5: “The secure industrial control system 100 may further include one or more manufacturing entities (e.g., factories) 136…. The key management entity 130 can utilize the communications pipeline for provisioning the industrial elements with security credentials (e.g., inserting keys, certificates and/or identification numbers into the industrial elements) at the point of manufacture”.  The Examiner interprets the security credential source 101/ key management system 130 that provisions the industrial element (the at least one device of the machine) with a certificate as a certification device configured (i) to issue a certificate to the at least one device of the machine, and (iii) to issue the certificate biuniquely for the at least one device).

Rooyakkers fails to teach that the certificate device is included in the machine. Rooyakkers also fails to teach that the certificate issued by the certification device to the at least one device is a sub-certificate. In addition, Rooyakkers fails to teach that the certification device is further configured (i) to issue a sub-certificate to the at least one device, to identify the at least one device as belonging to the machine (emphasis added to show the feature not taught by Rooyakkers), (ii) to sign the sub- certificate with a root certificate of the machine that was issued by a higher-level certification device.
In the same field of endeavor, Loreskar teaches A machine (enrollment device 6, see [0041] and Fig. 1), comprising: a certification device (see abstract and Fig. 1: “The enrolling comprises generating an electronic device certificate 30-I for the chain of trust using the public key 32 obtained from the electronic device. The enrolling is performed at an enrolment device 6 separate from the electronic device 4”. The Examiner interprets the  enrollment device 6 as a certification device because it provides a certificate for the IoT electronic device 4) configured 
(i) to issue a sub-certificate to the at least one device (see [0036] and Fig. 1: “The electronic devices 4 may be Internet of Things (IoT) type devices”. The Examiner interprets the IoT electronic device 4 as the at least one device. And see [0041] and Figs. 1, 4: “The present technique extends the chain of trust so that a certificate 30-I for an IoT device 4 is created as a descendant of a device certificate 30-D associated with an enrolment device 6 which manages to the enrolment processes for enrolling the IoT device in to the chain of trust”. The Examiner further interprets creating a certificate 30-I for an IoT device 4 (at least one device) as a descendant of a device certificate 30-D associated with an enrolment device 6 as to issue a sub-certificate to the at least one device. Also see [0008]-[0012]), to identify the at least one device as belonging to the machine (see [0045]: “the electronic device certificate for the IoT device 4 may specify an issuer identifier identifying the parent which issued the certificate (which could be the enrolment device 6 or a trusted application), so that a verifier can verify the signature on the IoT device certificate by obtaining the corresponding parent certificate”. And see [0031]: “The electronic device certificate may comprise metadata indicative of the circumstances in which the electronic device certificate was generated. For example, the metadata could include at least one of: …the enrolment device associated with generation of the electronic device certificate”. And see [0043]: “In addition to the public key 32, the IoT device certificate 30-I may include metadata 38 which may indicate other information about the way in which the IoT device certificate was generated. For example the metadata … could indicate …the enrolment device which is associated with generation of the electronic device certificate”), 
(ii) to sign the sub- certificate with a root certificate of the machine (see [0041] and Figs. 1, 4: “The present technique extends the chain of trust so that a certificate 30-I for an IoT device 4 is created as a descendant of a device certificate 30-D associated with an enrolment device 6 which manages to the enrolment processes for enrolling the IoT device in to the chain of trust”. The Examiner interprets a device certificate 30-D associated with an enrolment device 6 (A machine) as a root certificate of the machine. And see [0024] and Fig. 4: “the electronic device certificate may be a direct child certificate of the enrolment device certificate. Hence, the electronic device certificate may be signed with a private key associated with the enrolment device, which a third party can verify as valid using the enrolment device certificate which may specify the corresponding public key”) that was issued by a higher-level certification device (see [0040]and Fig. 4: “The root certifying authority associated with the root certificate 30-R may attest as valid a number of child certificates 30-M, for example corresponding to particular manufacturers of electronic devices (OEMs). Each OEM may then certify as valid particular electronic devices who may have their own certificates 30-D generated as children of the OEM certificates within the chain of trust”. The Examiner interprets the particular manufacturer of electronic devices (OEM) as a higher-level certification device because “Each OEM may then certify as valid particular electronic devices who may have their own certificates 30-D generated as children of the OEM certificates”. Therefore, the Examiner interprets the device certificate 30-D associated with an enrolment device 6 generated as children of the OEM certificates by the OEM as a root certificate of the machine that was issued by a higher-level certification device).

Both Rooyakkers and Loreskar teach at least one machine and at least one device. In addition, both Rooyakkers and Loreskar teach granting a certificate to the at least one device. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by including the certification device of Rooyakkers in the machine of Rooyakkers, as taught by Loreskar. In addition, before the effective filing date of the claimed invention, it would also have been obvious to one of ordinary skill in the art to improve the system of Rooyakkers by configuring the certification device: i) to issue a sub-certificate to the at least one device, to identify the at least one device as belonging to the machine; and ii) to sign the sub- certificate with a root certificate of the machine that was issued by a higher-level certification device; as taught by Loreskar. It would have been obvious because Loreskar teaches that doing so achieves the following benefit: “the process for enrolling the electronic device in to the chain of trust can be managed post-manufacture by a separate enrolment device, avoiding the need for the electronic device itself to store software for handling this process and avoiding the additional manufacturing cost of embedding the PKI keys/certificates in the device during manufacturing By enrolling the electronic device into the chain of trust as a descendant of the enrolment device certificate, rather than as a descendant of the certificate associated with a manufacturer or certifying authority, this enables the certificate to be generated when the electronic device is already in the field in the hands of an end user, for example, rather than requiring it to be done at the time of manufacture, thus reducing the cost of the manufacturing process and the device itself” (see Loreskar [0022]).
Because Rooyakkers teaches that the machine includes the at least one device, Rooyakkers modified in view of Loreskar would teach A machine, comprising: at least one device …; and a certification device configured (i) to issue a sub-certificate to the at least one device of the machine, to identify the at least one device as belonging to the machine, as recited in claim 9.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Rooyakkers (US 2015/0046701), further in view of Loreskar (US 2019/0074980), and further in view of Brown (US 2006/0053291).

Regarding claim 11, Loreskar teaches the other device which is arranged externally to the at least one machine and which stores the root certificate of the at least one machine (see [0036] and Fig. 1: “The enrolment device 6 may also be in communication with various remote servers 10, 12, such as a certificate storing server 10 for storing certificates associated with a public key infrastructure”. And see [0040] and Fig. 4: “FIG. 4 shows an example of a chain of trust provided by a public key infrastructure. The public key infrastructure is represented by a hierarchy of certificates 30 which can be used for verifying the source of messages….Each OEM may then certify as valid particular electronic devices who may have their own certificates 30-D generated as children of the OEM certificates within the chain of trust”. The Examiner interprets the certificate storing server 10 storing the enrolment device certificate 30-D associated with the enrolment device 6 as a further device arranged externally to the at least one machine and configured to store the root certificate of the at least one machine);
signing the sub-certificate with the root certificate of the certification device of the at least one machine (see [0024] and Fig. 4: “the electronic device certificate may be a direct child certificate of the enrolment device certificate. Hence, the electronic device certificate may be signed with a private key associated with the enrolment device, which a third party can verify as valid using the enrolment device certificate which may specify the corresponding public key”) in order to identify the at least one device as belonging to the at least one machine (see [0045]: “the electronic device certificate for the IoT device 4 may specify an issuer identifier identifying the parent which issued the certificate (which could be the enrolment device 6 or a trusted application), so that a verifier can verify the signature on the IoT device certificate by obtaining the corresponding parent certificate”. And see [0031]: “The electronic device certificate may comprise metadata indicative of the circumstances in which the electronic device certificate was generated. For example, the metadata could include at least one of: …the enrolment device associated with generation of the electronic device certificate”. And see [0043]: “In addition to the public key 32, the IoT device certificate 30-I may include metadata 38 which may indicate other information about the way in which the IoT device certificate was generated. For example the metadata … could indicate …the enrolment device which is associated with generation of the electronic device certificate”).

Rooyakkers modified in view of Loreskar fails to teach preparing the data using the at least one device for sending to the other device; adding the sub-certificate to the prepared data, checking, using the other device, the data received from the at least one device of the at least one machine for trustworthiness with the root certificate of the at least one machine.
In the same field of endeavor, Brown teaches preparing the data using the at least one device for sending to the other device (see [0034]: “E-mail messages generated using the S/MIME and PGP techniques may include encrypted information, a digital signature on the message contents, or both”) 
adding the sub-certificate to the prepared data (see [0034]: “In signed S/MIME operations the sender takes a digest of a message and signs the digest using the sender's private key. A digest is essentially a checksum, CRC or other preferably non-reversible operation such as a hash of the message, which is then signed. The signed digest is appended to the outgoing message, possibly along with the certificate of the sender and possibly any required certificates or CRLs”. And see [0035]: “While verifying the signature on a signed message, the receiver of the message will also typically obtain a certificate chain for the signing certificate and verify that each certificate in the chain was signed by the next certificate in the chain, until a certificate is found that was signed by a root certificate from a trusted source”), 
checking, using the other device, the data received from the at least one device of the at least one machine for trustworthiness with the root certificate of the at least one machine (see [0035]: “While verifying the signature on a signed message, the receiver of the message will also typically obtain a certificate chain for the signing certificate and verify that each certificate in the chain was signed by the next certificate in the chain, until a certificate is found that was signed by a root certificate from a trusted source, such as, for example, a large Public Key Server (PKS) associated with a Certificate Authority (CA), such as, for example, Verisign or Entrust, both prominent companies in the field of public key cryptography. Once such a root certificate is found, a signature can be verified and trusted, since both the sender and receiver trust the source of the root certificate”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method  of Rooyakkers modified in view of Loreskar by adding the steps of preparing the data using the at least one device for sending to the other device; adding the sub-certificate to the prepared data, checking, using the other device, the data received from the at least one device of the at least one machine for trustworthiness with the root certificate of the at least one machine. It would have been obvious because doing so predictably achieves the benefit of ensuring secure data communication by checking the data using the certificate.
Rooyakkers modified in view of Loreskar and Brown as described above would teach preparing the data using the at least one device for sending to the other device which is arranged externally to the at least one machine and which stores the root certificate of the at least one machine; adding the sub-certificate to the prepared data, signing the sub-certificate with the root certificate of the certification device of the at least one machine in order to identify the at least one device as belonging to the at least one machine; checking, using the other device, the data received from the at least one device of the at least one machine for trustworthiness with the root certificate of the at least one machine, as recited by claim 11.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495