Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
The present application claims the benefit of U.S. Provisional Patent Application No. 62/582,557, titled “Blockchain Single Sign-on for Cloud Services” filed Nov. 7, 2017, and U.S. Provisional Patent Application No. 62/722,652 titled “Blockchain Single Sign-on for Cloud Services” filed Aug. 24, 2018. Each of the above applications is incorporated by reference herein in its entirety.
DETAILED ACTION
This Office Action is in response to an amendment application received on 07/22/2022. In the response, Applicant has amended claims 8 and 18-19. Claims 9-17 and 20 remain original. No new claim has been added. Claims 1-7 remain cancelled. 
For this Office Action, claims 8-20 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections – 35 USC § 103
Applicant’s arguments, filed 07/22/2022, with respect to the rejection of claims under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the claims.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claim 18 rejected under 35 U.S.C. 112(b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, regards as the invention.
Examiner notes that claim 18 is dependent on independent claim 8 which recites method steps performed by ‘a user authentication system’ however the ‘wherein’ clause recited in dependent claim 18 is performed by ‘a certificate issuer system’ issuing and transmitting the certificate to the user and upon successful transmission of the certificate, removes the certificate from the memory of the ‘certificate issuer system’. The steps recited in claim 18 are outside the scope of claimed method steps in independent claim 8 and does not limit the scope of claim 8 because these steps are performed by ‘a certificate issuer system’ which is not part of the ‘user authentication system’. 
Examiner also notes that the amended claim 18 language is taken from restricted claim 7 which recites as “deleting, by the certificate issuer system, the user information and checksum from the certificate issuer system after said transmitting the digital certificate to the user device”, and is part of “a certificate issuer system” of claim 1 and therefore is considered outside the scope of independent claim 8 which recites method steps performed by “user authentication system”.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 8-10, 13-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Won et al., (US20180183587A1) and in view of Smets et al., (US20180232734A1) and further in view of Rosenoer., (US20190020468A1).
Regarding claim 8, Won discloses:
	An authentication method comprising:
receiving, by a user authentication system (i.e., Server 140), certificate information (i.e., ID, public key, the public key algorithm (ALG) etc.; See [0066]) associated with a digital certificate (See FIG. 5; [0066] In order for server 140 to authenticate IoT device 100, at 506, IoT device 100 transmits its ID, public key, the public key algorithm (ALG), the blockchain name (BLK), and potentially other information (ETC), along with the signature of (ID∥public key∥ALG∥BLK∥ETC), to server 140),
wherein the certificate information comprises: a unique public key (i.e., IoT Device Public key) and checksum algorithm information (See [0066] i.e., Algorithm (ALG) e.g. RSA or ECC used by IoT Device) specifying a checksum algorithm ([0066] In order for server 140 to authenticate IoT device 100, at 506, IoT device 100 transmits its ID, public key, the public key algorithm (ALG), the blockchain name (BLK), and potentially other information (ETC), along with the signature of (ID∥public key∥ALG∥BLK∥ETC), to server 140. ALG is the signature algorithm used by IoT device 100, e.g., RSA with 2048-bit key length or Elliptic Curve Cryptography with SECP256r1);
retrieving, by the user authentication system, authenticity information associated with the digital certificate ([0016] In one embodiment, an IoT device is registered in a blockchain name/value storage (NVS) by an installation device working in conjunction with the IoT device … The installation device runs a blockchain wallet with the NVS and adds the ID and hash of the public key broadcast by the IoT device as a name-value pair in the NVS. The hash of the public key may then be retrieved from the NVS and used in authentication of the IoT device to other IoT devices or servers,; Also See [0032] which discloses IoT device public key and hash is retrieved by server 140 from the NVS 126 during authentication process),
wherein the authenticity information is stored at a location associated with a distributed ledger system (i.e., blockchain core comprises of “name/value storage” (NVS) 126 which is part of server 140; See FIG. 1) ([0016] In one embodiment, an IoT device is registered in a blockchain name/value storage (NVS) by an installation device working in conjunction with the IoT device … The installation device runs a blockchain wallet with the NVS and adds the ID and hash of the public key broadcast by the IoT device as a name-value pair in the NVS. The hash of the public key may then be retrieved from the NVS and used in authentication of the IoT device to other IoT devices or servers,; Also See [0032] which discloses IoT device public key and hash is retrieved by server 140 from the NVS 126 during authentication process), and
wherein the authenticity information comprises the unique public key (i.e., IoT Device’s Public Key) and a first checksum (i.e., IoT device's ID/H(PUB_KEY)) ([0032] server 140 may authenticate IoT device 100 by receiving the IoT device's 100 ID 106, public key 110, and other relevant information from IoT device 100; checking that ID 106 belongs to a registered IoT device; computing a hash of public key 110; checking that the computed hash of public key 110 matches a hash of the IoT device's public key retrieved from NVS 126; [0066] In order for server 140 to authenticate IoT device 100, at 506, IoT device 100 transmits its ID, public key, the public key algorithm (ALG), the blockchain name (BLK), and potentially other information (ETC), along with the signature of (ID∥public key∥ALG∥BLK∥ETC), to server 140 … When IoT device 100 send its ID and a self-signed certificate, such a self-signed certificate may include information about the blockchain used to register the IoT device's ID/H(PUB_KEY));
calculating, by the user authentication system, a second checksum of the certificate information based on the checksum algorithm ([0069] At step 514, server 140 sends a query with the ID of IoT device 100 to the NVS. If the ID exists as a name in the NVS, then the NVS will return a hash h′ of the public key which is the value associated with the ID in the NVS);
determining, by the user authentication system, that the first checksum matches the second checksum ([0070] Assuming the NVS returns such a hash of the public key, the state, and the expiration time (otherwise, the server may abort the authentication process), and the state is not “revoked” and the expiration time has not passed, then at step 516, server 140 determines whether the hash of the public key computed at step 512 equals the hash of the public key received from the NVS, i.e., whether h=h′); and
upon said determining that the first and second checksums match, authenticating the user device [IoT device] ([0071] On the other hand, if the hash of the public key computed at step 512 equals the hash of the public key received from the NVS, then method 500 proceeds to step 518; [0072] If IoT device 100 passes the challenge-response test, then at step 520, server 100 authenticates the IoT device 100),
wherein when the first and second checksums do not match, denying authenticating the user device [IoT device] ([0071] If the hash of the public key computed at step 512 does not equal the hash of the public key received from the NVS, then IoT device 100 is not authenticated).
Won explicitly fails to disclose:
	generating an authentication confirmation based on successful authentication of the user device [IoT device]; wherein the authentication confirmation is not generated when the user device [IoT device] authentication is not successful.
However, Smets discloses:
	generating an authentication confirmation based on successful authentication [i.e., performing some action] of the user device [IoT device] ([0060] when authentication of the IoT device 122 is successful at 404, the IoT server 130 implements any identified payment preferences provided by the consumer 112, at 414 (e.g., as received from the consumer 112 at 316 in the method 300, etc.) and requests, at 416, from the payment engine 132, payment credentials for the selected payment account (based on the consumer payment preferences) that is linked to the device identifier of the IoT device 122);
wherein the authentication confirmation is not generated when the user device [IoT device] authentication is not successful ([0059] With continued reference to FIG. 4, when authentication of the IoT device 122 fails at 404, the IoT server 130 sends (or transmits) a transaction rejection message to the IoT device 122, at 410 … In turn, at 412, the IoT device 122 receives the transaction rejection message and may cause a rejection alert or message to display on an interface).
	It would have been obvious to an ordinary skilled in the art before the effective filing date of the claimed invention to modify the Won reference and include a system and method in which a authentication confirmation message is generated for the user device [IoT device] by the authentication system based on authentication process, as disclosed by Smets.
	The motivation to include the system and method in which a confirmation message is generated for the user device [IoT device] by the authentication system based on authentication process is to clearly and evidently notify the user through the IoT device interface or by some other means whether the authentication of IoT device is successful or not. 
The combinationof Won and Smets fails to disclose:
	removing at least one of the second checksum and the digital certificate from memory of the user authentication system.
However, Rosenoer discloses:
	removing at least one of the second checksum and the digital certificate from memory of the user authentication system (See Abstract, FIG. 3A; [0036] and FIG. 3B; [0037] discloses identifying a match of the hash and the hash value associated with the one or more identifiers, authorizing the user account, responsive to identifying the match of the hash and the hash value associated with the one or more identifiers, and deleting the hash, the new identifier, and the hash value associated with the one or more identifiers stored in the blockchain [i.e., user authentication system] responsive to authorizing the user account).
	An ordinary skill in the art before the effective filing date of the claimed invention would be motivated to modify the Won and Smets references and include an operation disclosed by Rosenoer to delete the authentication values such as verified/matched hashes from the authentication system in order to ensure privacy of the user.
Regarding claim 9, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 8, wherein: the certificate information is received from a cloud application (i.e., communication application 104 running in IoT Device 100) (Won: [0066] In order for server 140 to authenticate IoT device 100, at 506, IoT device 100 transmits its ID, public key, the public key algorithm (ALG), the blockchain name (BLK), and potentially other information (ETC), along with the signature of (ID∥public key∥ALG∥BLK∥ETC), to server 140. ALG is the signature algorithm used by IoT device 100, e.g., RSA with 2048-bit key length or Elliptic Curve Cryptography with SECP256r1); and 
the method further comprises transmitting the generated authentication confirmation to the cloud application (Won: [0071] On the other hand, if the hash of the public key computed at step 512 equals the hash of the public key received from the NVS, then method 500 proceeds to step 518; [0072] If IoT device 100 passes the challenge-response test, then at step 520, server 100 authenticates the IoT device 100).
Regarding claim 10, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 9, wherein: the certificate information is received from the cloud application when the cloud application receives the digital certificate from a user device associated with a user attempting to perform an action (i.e., an authentication of an IoT device) relating to the cloud application (Won: [0065] FIG. 5 is a flow diagram depicting a method 500 for mutual authentication between an IoT device using a blockchain-assisted PKI and a server relying on a traditional certificate authority PKI, according to an embodiment. Although discussed with respect to a server); and 
said transmitting the generated authentication confirmation causes the cloud application to allow the user [IoT device] to perform the action (Won: [0071] On the other hand, if the hash of the public key computed at step 512 equals the hash of the public key received from the NVS, then method 500 proceeds to step 518; [0072] If IoT device 100 passes the challenge-response test, then at step 520, server 100 authenticates the IoT device 100).
Regarding claim 13, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 8, wherein the certificate information is received from a user device (Won: [0066] In order for server 140 to authenticate IoT device 100, at 506, IoT device 100 transmits its ID, public key, the public key algorithm (ALG), the blockchain name (BLK), and potentially other information (ETC), along with the signature of (ID∥public key∥ALG∥BLK∥ETC), to server 140).
Regarding claim 14, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 13, further comprising: 
receiving, by the user authentication system, from the user device, a request to perform an action relating to the user authentication system (Smets: [0054] In method 400, the IoT device 122, having already been registered with the IoT server 130 (e.g., via method 300, etc.), sends (or transmits) a transaction request, including its device identifier (and/or location), to the IoT server 130, at 402); and 
upon said generating the authentication confirmation, allowing the user device to perform the action (Smets: [0060] when authentication of the IoT device 122 is successful at 404, the IoT server 130 implements any identified payment preferences provided by the consumer 112, at 414 (e.g., as received from the consumer 112 at 316 in the method 300, etc.) and requests, at 416, from the payment engine 132, payment credentials for the selected payment account (based on the consumer payment preferences) that is linked to the device identifier of the IoT device 122), 
wherein the user device is not permitted to perform the action when the authentication confirmation is not generated (Smets: [0059] With continued reference to FIG. 4, when authentication of the IoT device 122 fails at 404, the IoT server 130 sends (or transmits) a transaction rejection message to the IoT device 122, at 410 … In turn, at 412, the IoT device 122 receives the transaction rejection message and may cause a rejection alert or message to display on an interface).	
Regarding claim 15, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 14, wherein the user authentication system comprises a cloud application (Won: [0017] FIG. 1 depicts a computing environment in which one or more embodiments may be implemented. As shown, an IoT device 100 is in communication (e.g., via 802.15 (wireless personal area network (WPAN)) or Wi-Fi) with an installation device 120, and the IoT device 100 and installation device 120 are further in communication over a wide area network (WAN) 160, such as the Internet, with a public blockchain wallet 130, a data analytics server 140, and another IoT device 150. Although shown as communicating over WAN 160; [0032] server 140 may authenticate IoT device 100 by receiving the IoT device's 100 ID 106, public key 110, and other relevant information from IoT device 100).
Regarding claim 16, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 8, wherein the digital certificate conforms to a X.509 digital certificate standard (Won: [0087] In one embodiment, such a device may determine whether the IoT device presents a traditional X.509 certificate or the self-signed certificate that provides the information about the blockchain used to register the IoT device's ID/H(PUB_KEY). If the certificate is the X.509 certificate, then traditional CA-based authentication may be used).
Regarding claim 19, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 8, wherein the certification information enables the user authentication system to confirm user ownership of the digital certificate (Won: [0013] In order for server 140 to authenticate IoT device 100, at 506, IoT device 100 transmits its ID, public key, the public key algorithm (ALG), the blockchain name (BLK), and potentially other information (ETC), along with the signature of (ID∥public key∥ALG∥BLK∥ETC), to server 140).
Regarding claim 20, the combination of Won, Smets and Rosenoer discloses:
A method according to claim 8, wherein the certificate information further comprises one or more of: identity information, location information specifying the location, a unique ID, an issuer name, and a validity period (Won: [0066] In order for server 140 to authenticate IoT device 100, at 506, IoT device 100 transmits its ID, public key, the public key algorithm (ALG), the blockchain name (BLK), and potentially other information (ETC), along with the signature of (ID∥public key∥ALG∥BLK∥ETC), to server 140. ALG is the signature algorithm used by IoT device 100, e.g., RSA with 2048-bit key length or Elliptic Curve Cryptography with SECP256r1).


Claims 11-12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Won et al., (US20180183587A1) in view of Smets et al., (US20180232734A1) in view of Rosenoer., (US20190020468A1) and further in view of Spangenberg et al., (US20200327629A1) hereinafter referred as Span.
Regarding claim 11, the combination of Won, Smets and Rosenoer fails to disclose:
A method according to claim 10, wherein the location [of the certificate information] comprises an address of a smart contract associated with the distributed ledger system.
However, Span discloses:
wherein the location [of the certificate information] comprises an address of a smart contract associated with the distributed ledger system ([0061] A computer, network, or blockchain, may deploy a smart contract. A smart contract is computer code that implements transactions of a contract. The computer code may be executed in a secure platform (e.g., an Ethereum platform, IBM Hyperledger platform) that supports recording transactions in blockchains; [0063] a smart contract may be accompanied by a digital certificate, or a digital signature which contains information regarding the source of the transaction. The computer, network, or blockchain will validate this information and determine the authenticity of the source of the transaction prior to deploying the smart contract).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Won, Smets and Rosenoer references and have a smart contract in a blockchain network which contains information about digital certificate, as disclosed by Span.
The motivation to include the smart contract in a blockchain network which contains information about digital certificate is to be able to authenticate the certificate information leveraging blockchain’s immutable verification. 
Regarding claim 12, the combination of Won, Smets and Rosenoer fails to disclose:
A method according to claim 11, wherein the user authentication system comprises a decentralized application associated with the distributed ledger system.
However, Span discloses:
wherein the user authentication system comprises a decentralized application associated with the distributed ledger system ([0035] The proposed method envisions a tool powered by smart contracts, and combines several approaches from the legal and payment industries into a blockchain format. With blockchain as the core technology, the present invention further proposes a Registry (“IPWe Registry”) as a Decentralized Application (“DApp”) that will allow each party to a patent transaction—including the owner, licensee, buyer, broker and lawyers—to sign off on a transaction for patents; [0039] In one embodiment, the DAPP will include a centralized interface and decentralized smart contract to streamline existing patent registration and transactions by, among other things, simplifying the registration process and making ownership information more accessible).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Won, Smets and Rosenoer references and have a system with decentralized application through the use of smart contracts in a blockchain network, as disclosed by Span.
The motivation to include decentralized application through the use of smart contracts in a blockchain network is to allow users to trust the decentralized application in the smart contract as it runs on blockchain and is outside the purview and control of a single authority. 
Regarding claim 17, the combination of Won, Smets and Rosenoer fails to disclose:
A method according to claim 8, wherein the location comprises a smart contract address.
However, Span discloses: 
wherein the location comprises a smart contract address ([0061] A computer, network, or blockchain, may deploy a smart contract. A smart contract is computer code that implements transactions of a contract. The computer code may be executed in a secure platform (e.g., an Ethereum platform, IBM Hyperledger platform) that supports recording transactions in blockchains; [0063] a smart contract may be accompanied by a digital certificate, or a digital signature which contains information regarding the source of the transaction. The computer, network, or blockchain will validate this information and determine the authenticity of the source of the transaction prior to deploying the smart contract).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Won, Smets and Rosenoer references and have a smart contract in a blockchain network which contains information about digital certificate, as disclosed by Span.
The motivation to include the smart contract in a blockchain network which contains information about digital certificate is to be able to authenticate the certificate information leveraging blockchain immutable verification. 

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Won et al., (US20180183587A1) in view of Smets et al., (US20180232734A1) in view of Rosenoer., (US20190020468A1) and further in view of Ogura., (US20040255113A1).
Regarding claim 18, the combination of Won, Smets and Rosenoer fails to disclose:
A method according to claim 8, wherein the digital certificate is issued by a certificate issuer system that removes at least one of received identity information, the digital certificate, and the first checksum from a second memory of the certificate issuer system after transmitting the digital certificate to a user.
However, Ogura discloses:
	wherein the digital certificate is issued by a certificate issuer system that removes at least one of received identity information, the digital certificate, and the first checksum from a second memory of the certificate issuer system after transmitting the digital certificate to a user ([0095-0096] and [0107] discloses that after successful transmission of the digital certificate from the certificate management device 607 via communication terminal 150 [together construed as certificate issuer system] to the factory terminal 160 [construed as user], the certificate management device 607 deletes the corresponding certificate from the certificate database).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Won, Smets and Rosenoer references and include a certificate management device which issues and transmits a user certificate to the user device and upon successful transmission of the user certificate, the user certificate information is deleted from the memory of the certificate management device by the certificate management device, as disclosed by Ogura.
	The motivation to have such a certificate management device which deletes the user certificate from its memory upon successful transmission to the user device is to improve security of the user certificate and ensuring the privacy of the user device by storing sensitive data only at the user device. 
	Examiner would like to note that the claim 18 is dependent of independent claim 8 which recites method steps performed by ‘a user authentication system’ whereas the ‘wherein’ clause recited in dependent claim 18 is performed by ‘a certificate issuer system’ issuing and transmitting the certificate to the user and upon successful transmission of the certificate, removes the certificate from the memory of the ‘certificate issuer system’. 
	The steps recited in claim 18 are outside the scope of claimed method steps presented in the independent claim 8 and does not limit the scope of claim 8. Therefore, it has been held that language that suggests or makes optional but does not require steps to be performed or does not limit a claim to a particular structure does not limit the scope of a claim or claim limitation. An example of such language includes statements of intended use or field of use (MPEP §2103 I C).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/S.M.A./Patent Examiner, Art Unit 2432