DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to application 17/185,300 filed on 2/25/2021.
Claims 21-40 have been examined and are pending in this application. As per the Preliminary Amendment filed on 2/25/2021, claims 1-20 were canceled; claims 21-40 have been added. Claims 21-40 are pending in this application.
The examiner notes the IDS filed on 2/25/2021 has been considered. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 21 and 31 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10,965,674.  Although the claims at issue are not identical, they are not patentably distinct from each other because:

The examiner notes that Claim 1 of U.S. patent No. 10,965,674 recites substantially similar subject matter, more specifically: 
A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for secure and efficient communications between clients and secure network resources, the operations comprising: identifying a first request from a client for access to a secure network resource; redirecting the client to an identity provider, wherein the identity provider is configured to: authenticate the client, and provide the client with data signed using a first identity provider key; identifying a second request from the client, the second request including a doubly-signed version of the data, which is the data signed using the first identity provider key and also signed using a first client key; wherein the client receives a signed version of a second client key from a trustee resource, the signed version of the second client key having been signed using a first trustee resource key; verifying the signed version of the second client key using a second trustee resource key corresponding to the first trustee resource key; verifying the doubly-signed version of the data using a second identity provider key corresponding to the first identity provider key, and the second client key; and allowing, conditional on a result of the verifying, the client to access the secure network resource.
The examiner notes that the features emphasized above are obvious variants to that claimed in the limitations of Claims 21 and 31 of the Instant Application.

Claims 22-30 and 32-40 depend from respective independent Claims 21 and 31 thus, would respectfully inherit the Double Patenting rejection.







Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 21-25, 29-31, 39 and 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leong et al. (US 2018/0367310 A1) in view of Seidl et al. (US 2011/0289573 A1) and Ronda et al. (US 2017/0250972 A1).

Regarding Claim 21;
Leong discloses a non-transitory computer readable medium including instructions that, when executed by at least one processor (FIG. 4 and [0092]-[0094]), cause the at least one processor to perform operations for secure and efficient communications between clients and secure network resources ([0018] [0024] and [0037]-[0038] and [0053]-[0054] – for obtaining service...), the operations comprising: 
...
authenticating the client ([0045] - The identity provider 610 is further responsible for creating and signing the identity attestation of identity for the user 230. The attestation may simply be a statement by the identity provider that it has verified the user identity physically); 
...
[creating] based on the authentication, access data corresponding to the client ([0045) - The identity provider 610 is further responsible for creating and signing the identity attestation of identity for the user 230. The attestation may simply be a statement by the identity provider that it has verified the user identity physically. The identity provider may sign the attestation using its private key. In one implementation, the identity attestation may include a set of attribute-level verification, e.g., name and date of birth. The attestation may further contain attribute level biometrics information, i.e., the type of biometrics information of the user that the identity provider tracks. The attestation preferably may not contain actual personal identifiable information (PII). The attestation signed by the identity provider 610 may be provided to the mobile identity wallet 606 of the user 230 (704). As discussed above, the attestation signed by the identity provider and received at the mobile identity wallet may be further signed by the mobile identity wallet using the private key of the user);
signing ... “access data” using a first identity provider key ([0045] - The attestation signed by the identity provider 610 may be provided to the mobile identity wallet 606 of the user 230 (704));9
providing, to the client, the signed access data ([0045] - The attestation signed by the identity provider 610 may be provided to the mobile identity wallet 606 of the user 230 (704)); 
wherein the client is configured to ([0045]):
receive the signed access data ([0045] - The attestation signed by the identity provider 610 may be provided to the mobile identity wallet 606 of the user 230 (704)); 
sign the signed access data using a first client key to form a doubly-signed version of the access data ([0045] - As discussed above, the attestation signed by the identity provider and received at the mobile identity wallet may be further signed by the mobile identity wallet using the private key of the user); and 
send the doubly-signed version of the access data to [s] secure resource for verification ([0046] - Continuing with FIG. 7, the trusted service provider 620/630 receives request for service from user 230 (706). The trusted service provider 620/630 may further receive the doubly signed identity attestation and data element identifier (which may be signed by the identity provider) of the user data element (identity index) in the permissioned DDSL from the mobile identity wallet for verifying the authenticity of the identity attestation (706)).
Leong fails to explicitly disclose:
receiving an indication of a first request by a client to access a secure network resource;
...
identifying..., access data corresponding to the client and the secure resource; 
...
sending, to the secure resource, a second identity provider key corresponding to the first identity provider key.
However, in an analogous art, Seidl teaches concepts of:
 receiving an indication of a first request by a client to access a secure network resource (Seidl,  FIG. 2 and FIG. 5 and [0050] - The message sequence 60 begins with the user client 52 issuing a request 61 (typically an HTTP Request) to the service provider 54, requesting access to a secure resource at the service provider.);
...
identifying... access data corresponding to the client and the secure resource (Seidl, FIG. 2 and FIG. 5 and [0070]-[0071] - ... the authentication assertion will typically contain a different identifier than the user ID retrieved in step 70: an identifier/pseudonym specific to service provider 54; the mapping is maintained by the identity provider);
...
sending, to the secure resource, [the authentication assertation] (Seidl, FIG. 2 and FIG. 5 and [0070]-[0071] - ... the authentication assertion will typically contain a different identifier than the user ID retrieved in step 70: an identifier/pseudonym specific to service provider 54; the mapping is maintained by the identity provider).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Seidl to the operations of Leong to include the concepts of receiving an indication of a first request by a client to access a secure network resource;... identifying... access data corresponding to the client and the secure resource (Seidl, [0070]-[0071] - ... the authentication assertion will typically contain a different identifier than the user ID retrieved in step 70: an identifier/pseudonym specific to service provider 54; the mapping is maintained by the identity provider); ... sending, to the secure resource, [the authentication assertation]
One would have been motivated to combine the teachings of Seidl to Leong to do so as it provides / allows more secure ...authentication (Seidl, [0023]).
Further, in an analogous art, Ronda teaches concepts of:
sending, to the secure resource, a second identity provider key corresponding to the first identity provider key (Ronda, [0042]-[0043] - n some cases, methods may further comprise: signing the second entry with a second key to generate a signed second entry, the second key being derived from a private key corresponding to the second user agent address; and transmitting the signed second entry to the second ledger. In some cases, the second ledger is configured to: verify the second key to generate a second signature verification result; store the second entry in the second ledger based on the second signature verification result; and transmit a second entry address to the user agent server, the second entry address identifying an address of the second entry in the second ledger.).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Ronda to the sending, to the secure resource step of Leong in view Seidl to include sending, to the secure resource, a second identity provider key corresponding to the first identity provider key
One would have been motivated to combine the teachings of Ronda to Leong in view Seidl to do so as it provides / allows improved methods and systems for electronic identity provision and verification (Ronda, [0004]).
Regarding Claim 22;
Leong in view of Seidl and Ronda disclose the medium to Claim 21.
	Seidl further teaches wherein receiving the indication comprises receiving a redirect from the secure resource, the redirect comprising the indication (FIG. 2 and FIG. 5 and [0050] - The message sequence 60 begins with the user client 52 issuing a request 61 (typically an HTTP Request) to the service provider 54, requesting access to a secure resource at the service provider. In response to the request 61, the service provider issues a redirect message 62 (such as an HTTP Redirect message), instructing the client 52 to obtain user credentials from a particular identity provider (i.e. the identity provider 56)).

Regarding Claim 23;
Leong in view of Seidl and Ronda disclose the medium to Claim 21.
	Leong further discloses wherein: the client is configured to generate the first client key and a second client key as part of an enrollment process in a network environment including the secure network resource (FIG. 6 and [0041] — the user may register... The mobile identity wallet 606 may further be responsible for generating a pair of private and public keys for the user); and the second client key corresponds to the first client key ([0041] — the user may register... The mobile identity wallet 606 may further be responsible for generating a pair of private and public keys for the user). As reasonably constructed a public/private key are constructed to correspond to one another.



Regarding Claim 24;
Leong in view of Seidl and Ronda disclose the medium to Claim 23.
	Leong further discloses wherein the operations further comprise receiving the second client key from the client ([0043] – FIG. 7 0- Sends Public Key and Continuing with FIG. 7, the identity provider 610 may receive biographic data of the user and the user public key at a service station of the identity provider 610.3).

Regarding Claim 25;
Leong in view of Seidl and Ronda disclose the medium to Claim 24.
	Leong further discloses wherein the second client key is received as part of the enrollment process ([0043] – FIG. 7 0- Sends Public Key and Continuing with FIG. 7, the identity provider 610 may receive biographic data of the user and the user public key at a service station of the identity provider 610.3)

Regarding Claim 29;
Leong in view of Seidl and Ronda disclose the medium to Claim 21.
	Seidl further teaches wherein the identity provider is further configured to redirect the
client to the secure network resource (Seidl, FIG. 2 and FIG. 5 – Redirect Assertion)





Regarding Claim 30;
Leong in view of Seidl and Ronda disclose the medium to Claim 29.
Leong further discloses communication ...that also includes the data signed using the first identity provider key ([0053]-[0054] — may first use the public key of the identity provider to decrypt... the public key of the user may be used to decrypt the attestation).
Seidl further teaches... the redirect from the identity provider is part of a communication
to the client (Seidl, FIG. 2 and FIG. 5 – Redirect Assertion)

Regarding Claim(s) 31; claim(s) 31 is/are directed to a/an method associated with the medium claimed in claim(s) 21. Claim(s) 31 is/are similar in scope to claim(s) 21, and is/are therefore rejected under similar rationale.

Regarding Claim 39;
Leong in view of Seidl and Ronda disclose the method to Claim 31
Seidl further teaches wherein receiving an indication of a first request by a client to access a secure network resource comprises receiving a redirect of the client from the secure resource, the redirect comprising the indication of a first request by the client to access the secure network resource (Seidl, FIG. 2 and FIG. 5 and [0050] - The message sequence 60 begins with the user client 52 issuing a request 61 (typically an HTTP Request) to the service provider 54, requesting access to a secure resource at the service provider. In response to the request 61, the service provider issues a redirect message 62 (such as an HTTP Redirect message), instructing the client 52 to obtain user credentials from a particular identity provider (i.e. the identity provider 56). In response to the redirect message 62, the client 52 sends a message 63 to the identity provider 56 seeking the authentication details required to access a service provided by the service provider 54. The message 63 may, for example, be an HTTP or HTTPS message).

Regarding Claim 40;
Leong in view of Seidl and Ronda disclose the method to Claim 31.
Leong further discloses wherein the secure resource is configured to: verify the first signature of the doubly-signed data using the second identity provider key ([0034] - the signed data element may be decrypted by anyone having access to the permissioned DDSL and the public key of that entity and [0035] - Thus, the identity provider and trusted service providers participating in the permissioned DDSL may be each be associated with a set of private and public keys. The private keys may be used by the participating entities to sign data elements to be inserted into the permissioned DDSL. The public keys may be used by others to decrypt data elements inserted into the permissioned DDSL. For example, the identity provider node may submit a data element associated with identity index of a particular individual into the permissioned DDSL 230 by signing the data element with its private key. Other certified trusted service providers may locate the data element in the permissioned DDSL using a data element identifier for the data element and decrypt the data element using the known public key of the identity provider during the process of conducting identity verification [0045] - As discussed above, the attestation signed by the identity provider and received at the mobile identity wallet may be further signed by the mobile identity wallet using the private key of the user and [0046] - Continuing with FIG. 7, the trusted service provider 620/630 receives request for service from user 230 (706). The trusted service provider 620/630 may further receive the doubly signed identity attestation and data element identifier (which may be signed by the identity provider) of the user data element (identity index) in the permissioned DDSL from the mobile identity wallet for verifying the authenticity of the identity attestation (706)); verify the second signature of the doubly-signed data using the verified second client key ([0017] -  In particular, each participant, not necessarily a trusted entity, may decrypt and access any data element in the DDSL using a public key of the party who has digitally signed the data element and inserted it into the DDSL and [0046] - Continuing with FIG. 7, the trusted service provider 620/630 receives request for service from user 230 (706). The trusted service provider 620/630 may further receive the doubly signed identity attestation and data element identifier (which may be signed by the identity provider) of the user data element (identity index) in the permissioned DDSL from the mobile identity wallet for verifying the authenticity of the identity attestation (706)); and grant access to the client based on the verification of the first and second signatures ([0046] – trusted service provider ... request for service... verification).

Claim(s) 26, 27, 34 and 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leong et al. (US 2018/0367310 A1) in view of Seidl et al. (US 2011/0289573 A1) and Ronda et al. (US 2017/0250972 A1) and further in view of Benantar (US 2003/0130947 A1).

Regarding Claim 26;
Leong in view of Seidl and Ronda disclose the medium to Claim 25.
Leong in view of Seidl and Ronda fail to explicitly disclose the operations further comprising: signing the second client key using a trustee resource key; and sending the signed second client key to the client device.
However, in analogous art, Benantar teaches further comprising: signing the second client key using a trustee resource key (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key); and sending the signed second client key to the client device key (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Benantar to the second client key of Leong in view of Seidl and Ronda to include the operations further comprising: signing the second client key using a trustee resource key; and sending the signed second client key to the client device.
One would have been motivated to combine the teachings of Benantar to Leong in view of Seidl and Ronda to do so as it provides / allows a trusted third party to a transaction, that is trusted to sign or issue certificates for other people or entities (Benantar, [0038]).

Regarding Claim 27;
Leong in view of Seidl and Ronda and Benantar disclose the medium to Claim 26.
Benantar further teaches wherein, authenticating the client comprises: receiving, from the client, the signed second client key (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key); verifying the signed second client key, using a second trustee resource key corresponding to the first trustee resource key (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key).

Regarding Claim 34;
Leong in view of Seidl and Ronda disclose the method to Claim 31.
	Leong further discloses wherein the second client key is received as part of the enrollment process ([0043] – FIG. 7 0- Sends Public Key and Continuing with FIG. 7, the identity provider 610 may receive biographic data of the user and the user public key at a service station of the identity provider 610.3)
Leong in view of Seidl and Ronda fail to explicitly disclose the operations further comprising: signing the second client key using a trustee resource key; and sending the signed second client key to the client device.
However, in analogous art, Benantar teaches further comprising: signing the second client key using a trustee resource key (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key); and sending the signed second client key to the client device key (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Benantar to the second client key of Leong in view of Seidl and Ronda to include the operations further comprising: signing the second client key using a trustee resource key; and sending the signed second client key to the client device.
One would have been motivated to combine the teachings of Benantar to Leong in view of Seidl and Ronda to do so as it provides / allows a trusted third party to a transaction, that is trusted to sign or issue certificates for other people or entities (Benantar, [0038]).

 Regarding Claim(s) 38; claim(s) 38 is/are directed to a/an method associated with the medium claimed in claim(s) 27. Claim(s) 38 is/are similar in scope to claim(s) 27, and is/are therefore rejected under similar rationale.

Claim(s) 28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leong et al. (US 2018/0367310 A1) in view of Seidl et al. (US 2011/0289573 A1) and Ronda et al. (US 2017/0250972 A1) and further in view of Atherton (US 2012/0131350 A1).

Regarding Claim 28;
Leong in view of Seidl and Ronda disclose the medium to Claim 21.
Leong in view of Seidl and Ronda fail to explicitly disclose wherein the first client key is based on at least one of: biometric data or biological data.
However, in analogous art, Atherton teaches wherein the first client key is based on at least one of: biometric data or biological data (Atherton, [0157]-[0159] – biometrically associated cryptographic key pair).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Atherton to the first client key of Leong in view of Seidl and Ronda to include wherein the first client key is based on at least one of: biometric data or biological data
One would have been motivated to combine the teachings of Atherton to Leong in view of Seidl and Ronda to do so as it provides / allows for an increased secure identification of individuals (Atherton, [0002]).




Claim(s) 32 and 33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leong et al. (US 2018/0367310 A1) in view of Seidl et al. (US 2011/0289573 A1) and Ronda et al. (US 2017/0250972 A1) and further in view of Benantar (US 2003/0130947 A1) and Campagna at al. (US 2013/0046972 A1).

Regarding Claim 32;
Leong in view of Seidl and Ronda disclose the method to Claim 31.
Leong in view of Seidl and Ronda fail to explicitly disclose wherein the client is configured to receive a plurality of signed versions of the second client key from a plurality of trustee resources, the plurality of signed versions of the second client key having been signed using a plurality of first trustee resource keys of the plurality of trustee resources.
However, in analogous art, Benantar teaches wherein the client is configured to receive a [signed version] of the second client key from a ... trustee [resource], the ... signed [version] of the second client key having been signed using a ...first trustee resource [key] (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Benantar to the second client key of Leong in view of Seidl and Ronda to include wherein the client is configured to receive a [signed version] of the second client key from a ... trustee [resource], the ... signed [version] of the second client key having been signed using a ...first trustee resource [key].
One would have been motivated to combine the teachings of Benantar to Leong in view of Seidl and Ronda to do so as it provides / allows a trusted third party to a transaction, that is trusted to sign or issue certificates for other people or entities (Benantar, [0038]).
Further, in an analogous art, Campagna wherein the client is configured to receive a plurality of signed versions ... from a plurality of trustee resources, the plurality of signed versions ...having been signed using a plurality of first trustee resource keys of the plurality of trustee resources... (Campagna, [0004] – The signature part consist of the digital signature of a certification authority (CA)... and [0014] - A uses a single key pair to generate multiple requests to a plurality of different certificate authorities to provide a plurality of credentials or implicit certificates, such as Elliptic Curve Qu-Vanstone (ECQV) implicit certificates or ECQV-based credentials. To this end, the subscriber entity may use an initial registered public key to make multiple certificate requests to different certificate authorities to obtain multiple ECQV certificates as a means to accept registration of a subscriber entity device into a subsequent Public Key Infrastructure (PKI) transaction. As a result, a single public key is used to generate two or more certificates in different certificate authority domains without the registration costs that would otherwise be required to provision additional credentials onto the network).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Campagna to the client key of Leong in view of Seidl and Ronda and Benantar to include wherein the client is configured to receive a plurality of signed versions ... from a plurality of trustee resources, the plurality of signed versions ...having been signed using a plurality of first trustee resource keys of the plurality of trustee resources... 
One would have been motivated to combine the teachings of Campagna to Leong in view of Seidl and Ronda and Benantar to do so as it provides / allows generating credentials and certificates for implicitly verifying a public key (Campagna, [0002]).

Regarding Claim 33;
Leong and Seidl and Ronda and Benantar and Campagna disclose the method to Claim 32.
Benantar further teaches further comprising receiving the ... signed [version] of the second client key and verifying the ... signed [version] of the second client key using a ...second trustee resource [key] (Benantar, [0039] - If a certificate authority issues a certificate for an entity, the entity must provide a public key and some information about the entity. A software tool, such as specially equipped Web browsers, may digitally sign this information and send it to the certificate authority. The certificate authority might be a company like VeriSign that provides trusted third-party certificate authority services. The certificate authority will then generate the certificate and return it and [0040] - Typically, after the certificate authority has received a request for a new digital certificate, which contains the requesting entity's public key, the certificate authority signs the requesting entity's public key with the certificate authority's private key and places the signed public key within the digital certificate. Anyone who receives the digital certificate during a transaction or communication can then use the public key of the certificate authority to verify the signed public key within the certificate. The intention is that an entity's certificate verifies that the entity owns a particular public key).
Campagna further teaches comprising receiving the plurality of signed versions ...and verifying the plurality of signed versions ... using a plurality of second trustee resource keys corresponding to the plurality of first trustee resource keys (Campagna, [0004] – The signature part consist of the digital signature of a certification authority (CA)... and [0014] - A uses a single key pair to generate multiple requests to a plurality of different certificate authorities to provide a plurality of credentials or implicit certificates, such as Elliptic Curve Qu-Vanstone (ECQV) implicit certificates or ECQV-based credentials. To this end, the subscriber entity may use an initial registered public key to make multiple certificate requests to different certificate authorities to obtain multiple ECQV certificates as a means to accept registration of a subscriber entity device into a subsequent Public Key Infrastructure (PKI) transaction. As a result, a single public key is used to generate two or more certificates in different certificate authority domains without the registration costs that would otherwise be required to provision additional credentials onto the network and [0024]).




Claim(s) 35 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leong et al. (US 2018/0367310 A1) in view of Seidl et al. (US 2011/0289573 A1) and Ronda et al. (US 2017/0250972 A1) and Benantar (US 2003/0130947 A1) and further in view of Atherton (US 2012/0131350 A1).

Regarding Claim 35;
Leong and Seidl and Atherton and Benantar disclose the method to Claim 34.
Leong and Seidl and Ronda and Benantar fail to explicitly disclose wherein the signed version of the second client key and an expiration attribute
Atherton further teaches wherein the signed version of the second client key and an expiration attribute (Atherton, [0158] and [0277] – public key values generated by BCU’s... and [0280] and [0282] – key Paris Kpv/Kpb that have known expiration or revocation dates/times).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Atherton to the second client key of Leong and Seidl and Ronda and Benantar to include wherein the first client key is based on at least one of: biometric data or biological data
One would have been motivated to combine the teachings of Atherton to Leong and Seidl and Ronda and Benantar to do so as it provides / allows for an increased secure identification of individuals (Atherton, [0002]).



Claim(s) 36 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leong et al. (US 2018/0367310 A1) in view of Seidl et al. (US 2011/0289573 A1) and Ronda et al. (US 2017/0250972 A1) and Benantar (US 2003/0130947 A1) and further in view of Kent (US 2017/0279784 A1).

Regarding Claim 36;
Leong and Seidl and Ronda and Benantar disclose the method to Claim 34.
Benantar further teaches ...the signed version of the second client key... ((Benantar, [0039]-[0040]).
Leong and Seidl and Ronda and Benantar fail to explicitly disclose wherein the... key has a number-of-use limitation.
However, in analogous art, Kent teaches wherein the... key has a number-of-use limitation (Kent, [0034] - The short-term private key may be used for a set time (e.g., 1 day, 1 week, 1 year), or may be used for a set number of times before it expires and is disposed (e.g., 1 time, 5 times, 10 times)).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Kent to the second client key of Leong and Seidl and Ronda and Benantar to include wherein the first client key is based on at least one of: biometric data or biological data
One would have been motivated to combine the teachings of Kent to Leong and Seidl and Ronda and Benantar to do so as it provides / allows for synchronized issuance of... digital certificates (Kent, [0001]).

Claim(s) 37 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leong et al. (US 2018/0367310 A1) in view of Seidl et al. (US 2011/0289573 A1) and Ronda et al. (US 2017/0250972 A1) and Benantar (US 2003/0130947 A1) and further in view of Potlapally et al. (US 9,935,937 B1).

Regarding Claim 37;
Leong and Seidl and Ronda and Benantar disclose the method to Claim 34.
Benantar further teaches ...the signed version of the second client key... ((Benantar, [0039]-[0040]).
Leong and Seidl and Ronda and Benantar fail to explicitly disclose wherein the... key is based on a network security policy.
However, in analogous art Potlapally teaches wherein the... key is based on a network security policy (Potlapally, col. 2, lines 10-36 – A network security policy... may be encrypted with TPM-based keys... The credentials (e.g., SSL keys) may be wrapped with TPM-based keys...).).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Potlapally to the second client key of Leong and Seidl and Ronda and Benantar to include wherein the... key is based on a network security policy.
One would have been motivated to combine the teachings of Potlapally to Leong and Seidl and Ronda and Benantar to do so as it provides / allows for implementing authorized network security policies using TPM based credentials (Potlapally, col. 2, lines 10-23).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439