DETAILED ACTION

Claims 1-20 are presented for examination.

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter

Claims 3-5 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Objections

Claim 14 is  objected to because of the following informalities:  Incorrect status.  Appropriate correction is required.

	Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims1-2, and 6-20 are rejected under 35 U.S.C. 103 as being unpatentable over Brown et al. (US Patent Application No. US 20180083971 A1) (Hereinafter Brown) in view of Krishna et al. (US Patent Application No. 9819668) (Hereinafter Krishna).

As per claim 1,  Brown discloses a method of keyless authentication of computing services to an authentication service in a distributed computing system, the method comprising:
 receiving, at the authentication service, data representing an authentication request from a computing service for a security token configured to authenticate the computing service to other computing services in the distributed computing system, the authentication request including token previously issued by the authentication service to an application executed in a container on a server (para 22, A user token is a token issued to a user, and contains information identifying the respective use; fig 2, para 44, The application token 215 may be issued only after authentication of the caller token or similar authorization is obtained), wherein the identity assertion token includes a digital data package (para 21, A token is a security credential that is compact and a self-contained way for securely proving one's identity electronically) that contains security credentials for an application identity under which the application is executed to provide the computing service (fig 2, para 44, The application token 215 may be issued only after authentication of the caller token or similar authorization is obtained; fig 2, para 44, The application token 215 may be issued only after authentication of the caller token or similar authorization is obtained); and 
in response to receiving the authentication request, at the authentication service (fig 2, para 44,  application token generation and installation. The application token  may be issued only after authentication of the caller token or similar authorization is obtained.), 
determining an identity of the application executed in the container on the 
server based (para 31, 1A and 1B are diagrams of one embodiment of a network of computing devices functioning as a set of server hosts for virtualized execution environments) on the token included in the received authentication request(fig 2, para 45, a new application token 215 is issued specifically for the child container application 213 and is used only by the child container application 213. The new application token 215 contains information that identifies the container application 213 for which it is created);
accessing a database for a record of authorization policy corresponding to 
the determined identity and determining whether the identity is 
authorized (para 14, 47, The token contains information that uniquely identifies the application.  An authorization set of the application can then be determined specific to the application and can be based on the authorization set of the user and/or platform policies) for issuance of a security token based on the accessed record of authorization policy(para 48,51-52, The container manager can enforce policies of the virtualization platform as they pertain to the creation of application tokens. The policies can define the type and scope of authorization sets to be given to the application tokens. In some example embodiments, the policies can restrict the authorization set to a subset of the authorization set of the caller. In some embodiments, the policies may include permissions in the authorization set that are not permitted to the caller); and 
in response to determining that the identity is authorized for a security token, 
generating and transmitting, to the computing service, the requested 
security token, thereby allowing the computing service to authenticate to 
other computing services in the distributed computing system without 
using digital certificates (para 48,51-52, The container manager can enforce policies of the virtualization platform as they pertain to the creation of application tokens. The policies can define the type and scope of authorization sets to be given to the application tokens. In some example embodiments, the policies can restrict the authorization set to a subset of the authorization set of the caller. In some embodiments, the policies may include permissions in the authorization set that are not permitted to the caller, no use of digital certificate).
Brown does not explicitly disclose the authentication request including an identity assertion token previously issued by the authentication service to an application executed in a container on a server.
However, Krishna discloses identity assertion token (535, fig 5,col 8, lines 46-57, claim 7), the authentication request including an identity assertion token previously issued by the authentication service (claim 7, fig 5,col 10, lines 46-56, determines whether a token is available for the user that indicates that the user has previously been authenticated with the identity server).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Brown and Krishna. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based). 

As per claim 2, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Brown discloses: the received identity assertion token includes an application identifier and an identity name (para 29, the application token contains information that uniquely identifies the application.); and 
accessing the database includes querying the database for the record of authorization policy using the application identifier (para 30, policy:  token allows for the defining of a separate authorization set that determines the extent to which the container application is permitted to perform actions); and 
determining whether the identity is authorized includes determining whether the 
identity is authorized based on the identity name of the identity assertion token (para 29,  the application token contains information that uniquely identifies the application; para 52, the application token is utilized to authenticate that the application is authorized to invoke a function or call within the virtualization platform). Krishna discloses identity assertion token (535, fig 5,col 8, lines 46-57, claim 7).

As per claim 6, Brown discloses a method of keyless authentication of computing services to an authentication service in a distributed computing system, the method comprising: 
receiving (301, fig 3, receiving step), at a container manager on a server in the distributed computing system (209, container manager, fig 2), data representing a command to instantiate a computing service in a container on the server, the container being managed by the container manager (301,209,213, fig and  fig 3, para) ; and
 in response to receiving the command, at the container manager, transmitting a request to the authentication service for an identity assertion token corresponding to an application, wherein execution of the application in the container instantiates the computing service (fig 2 and fig 3, element307, para 50; fig 2, para 44, The application token 215 may be issued only after authentication of the caller token or similar authorization is obtained); 
receiving, from the authentication service, the requested identity assertion token corresponding to the application to be executed in the container to instantiate the computing service (307, 309, fig 3, para 50), 
wherein the identity assertion token includes a digital data package that contains security credentials for an  identity under which the application is executed to provide the computing service (para 21, A token is a security credential that is compact and a self-contained way for securely proving one's identity electronically. The payload can contain information about the authenticated user; fig 2, para 44, The application token 215 may be issued only after authentication of the caller token or similar authorization is obtained); and 
upon receiving the identity assertion token from the authentication service, storing the received identity assertion token in the container(309 fig 3, para 8the virtualization platform using the application token. The computing system includes a non-transitory machine readable medium having stored therein a container manage); and 
 modifying an entry of a configuration file in the container, the modified entry allows the instantiated computing service (para 47, the platform to instantiate a container in which an application  is to be instantiated) to access the stored identity assertion token in the container and authenticate the instantiated computing service to the authentication service using the identity assertion token (para 45, broadly reads on the ACL, authorization is determined for the specific application token recipient. Therefore, each application can have its own authorization set; The authentication is generally tied to a set of permissions or an authorization set of a user who has a set of user credentials that in turn can form or generate a user token). Brown does not explicitly disclose the authentication request including an identity assertion token previously issued by the authentication service to an application executed in a container on a server.
However, Krishna discloses identity assertion token (535, fig 5,col 8, lines 46-57, claim 7), the authentication request including an identity assertion token previously issued by the authentication service (claim 7, fig 5,col 10, lines 46-56, determines whether a token is available for the user that indicates that the user has previously been authenticated with the identity server).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Brown and Krishna. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based). 

As per claim 7, claim is rejected for the same reasons and motivation as claim 6, above. In addition, Brown discloses wherein transmitting the request includes transmitting, to the authentication service (para 39, authentication/application server authenticates token), a request that includes data representing an identity of the container manager (fig 1A, container manager) and an identity of the application to be executed in the container (para 29, The application token contains information that uniquely identifies the application. Including applications running in a container).

As per claim 8, claim is rejected for the same reasons and motivation as claim 6, above. In addition, Brown discloses transmitting the request includes transmitting, to the authentication service, a request that includes data representing an identity of the container manager and an identity of the application to be executed in the container (para 29, The application token contains information that uniquely identifies the application. Including applications running in a container); 
and 
receiving the identity assertion token includes receiving the identity assertion token that has the identity of the application and an identity name under which the application is to be executed in the container (para 29, The application token contains information that uniquely identifies the application. Including applications running in a container).

As per claim 9, claim is rejected for the same reasons and motivation as claim 6, above. In addition, Brown discloses executing the application in the container to instantiate the computing service on the server upon receiving the identity assertion token (para 47, he container manager determines the authorization set for the application token) from the authentication service (para 47, the platform to instantiate a container in which an application  is to be instantiated).

As per claim 10, claim is rejected for the same reasons and motivation as claim 6, above. In addition, Brown discloses wherein modifying the entry of the configuration file includes modifying the entry of an access control list in the container, the entry allows only the executed application to access the stored identity assertion token (para 45, broadly reads on the ACL, authorization is determined for the specific application token recipient. Therefore, each application can have its own authorization set; The authentication is generally tied to a set of permissions or an authorization set of a user who has a set of user credentials that in turn can form or generate a user token.).

As per claim 11, claim is rejected for the same reasons and motivation as claim 6, above. In addition, Brown discloses further comprising: transmitting, from the instantiated computing service, an authentication request for a security token to the authentication service (para 45 , new application token), 
the authentication request including the stored identity assertion token (para 21, A token is a security credential that is compact and a self-contained way for securely proving one's identity electronically); 
receiving, from the authentication request, the requested security token (para 39, token can be processed by an authentication server such as the application authentication server 117 to verify that the user credential or the user token are valid or authorized); and 
authenticating, with the received security token, the computing device to one or more other computing services in the distributed computing system (para 45,  the new application token  can allow the application  to read from a database of the platform or access similar resources as may be consistent with an authorization set for the new application token).

As per claim 12, claim is rejected for the same reasons and motivation as claim 6, above. In addition, Brown discloses further comprising: accessing, with the instantiated computing service, the stored identity assertion token according to the entry in the configuration file in the container;
 transmitting, from the instantiated computing service, an authentication request for a security token to the authentication service,
 the authentication request including the accessed identity assertion token (para 21,45,  the new application token  can allow the application  to read from a database of the platform or access similar resources as may be consistent with an authorization set for the new application token); and 
receiving, from the authentication service, the requested security token (para 45,  the new application token  can allow the application  to read from a database of the platform or access similar resources as may be consistent with an authorization set for the new application token).

As per claim 13, claim is rejected for the same reasons and motivation as claim 6, above. In addition, Brown discloses further comprising:
 accessing, with the instantiated computing service, the stored identity assertion token according to the entry in the configuration file in the container (para 47, the received token. Upon validation, the API server  can coordinate with other components of the platform to instantiate a container  in which an application  is to be instantiated); 
transmitting, from the instantiated computing service, an authentication request for a security token to the authentication service (para 52, The application token may be issued to the specific application), 
the authentication request including the accessed identity assertion token (para 52, the application token is utilized to authenticate that the application is authorized to invoke a function or call within the virtualization platform); 
receiving, from the authentication service, the requested security token; and authenticating, with the received security token, the computing device to one or more other computing services in the distributed computing system (para 51, The application token can be generated to include any identification information unique to the application along with a digital signature or similar information for authentication. In addition, the application token can include or be tied to an authorization set. The container manager can enforce policies of the virtualization platform as they pertain to the creation of application tokens).

As per claim 14, claim is rejected for the same reasons and motivation as claim 1, above.

As per claim 15, claim is rejected for the same reasons and motivation as claim 14, above. In addition, Brown discloses  in response to determining that the computing service is not provided on the computing device by executing an application in a container (fig 3, para 50,the new token is created only if it does not exist), 
determine whether the computing service and the authentication service reside on a single host (fig 1A, 1B, para 41, The containers can be fixed to a particular host); and 
in response to determining that the computing service and the authentication service reside on a single host (fig 1A, 1B, para 41, The containers can be fixed to a particular host), authenticating the computing service to the authentication service for the security token using credentials of a user account of the computing service on the single host issued(para 45, an application token  that can be used by the application to make requests through the secure API. The application token  may be issued only after authentication of the caller token or similar authorization is obtained).

As per claim 16, claim is rejected for the same reasons and motivation as claim 14, above. In addition, Brown discloses  wherein the memory includes additional instructions executable by the processor to cause the computing device to:
 in response to determining that the computing service is not provided on the computing device by executing an application in a container, determine whether the computing service and the authentication service reside on a single host (Fig 1A-3, para 50, a process of a container manager to generate an application token. The container manager participates in the generation and distribution of the application token in coordination with the API server and similar components of the platform. The container manager receives a request from the API server to initiate an application with an application token based on a verified caller token such as a user token ); and
 in response to determining that the computing service and the authentication service reside on a single host, authenticating the computing service to the authentication service for the security token using credentials of a user account of the computing service on the single host, wherein the user account is visible only on the single host and having a privilege level with network access in the distributed computing system (para 51,  the policies can restrict the authorization set to a subset of the authorization set of the caller. In some embodiments, the policies may include permissions in the authorization set that are not permitted to the caller. For example, an application may be authorized to access a local database that a caller is not authorized to directly access).

As per claim 17, claim is rejected for the same reasons and motivation as claim 14, above. In addition, Brown discloses  wherein the memory includes additional instructions executable by the processor to cause the computing device to: 
in response to determining that the computing service is not provided on the computing device by executing an application in a container, determine whether the computing service and the authentication service reside on a single server(Fig 1A-3, para 50, a process of a container manager to generate an application token. The container manager participates in the generation and distribution of the application token in coordination with the API server and similar components of the platform. The container manager receives a request from the API server to initiate an application with an application token based on a verified caller token such as a user token ); and 
in response to determining that the computing service and the authentication service reside on a single server, authenticating the computing service to the authentication service for the security token using credentials of a user account of the computing service on the single host, wherein the user account is visible only on the single host and having a privilege level with network access in the distributed computing system.

As per claim 18, claim is rejected for the same reasons and motivation as claim 14, above. In addition, Brown discloses  wherein authenticate the computing service to the authentication service in the distributed computing system for the security token using an identity assertion token includes to: 
transmit, from the computing service, the authentication request for the security token to the authentication service, the authentication request including the stored identity assertion token; and receive, from the authentication request, the requested security token (para 52, Once the application token has been generated, then the application token can be provided to the application in the container).

As per claim 19, claim is rejected for the same reasons and motivation as claim 14, above. In addition, Brown discloses  wherein authenticate the computing service to the authentication service in the distributed computing system for the security token using an identity assertion token includes to: 
access, with the computing service, the identity assertion token according to an entry in a configuration (para 41,  platform can support any number of containers distributed across any number of the hosts 1-N and in any distribution or organization of the containers . The containers can be fixed to a particular host or can be configured by the platform to be capable of being moved, for example for load balancing, across the set of hosts 1-N. The containers can have varying user space sizes, accessible resources and similar variations in characteristics)  file in the container (fig 1A and 1B, para 31, In other embodiments, the platform may be implemented by a single computing device with any configuration of hardware, while in further embodiments);
 transmit, from the computing service, the authentication request for the security token to the authentication service, the authentication request including the accessed identity assertion token (para 52, Once the application token has been generated, then the application token can be provided to the application in the container); and 
receive, from the authentication service, the requested security token (para 52, Once the application token has been generated, then the application token can be provided to the application in the container)..

As per claim 20, claim is rejected for the same reasons and motivation as claim 14, above. In addition, Brown discloses  wherein authenticate the computing service to the authentication service in the distributed computing system for the security token using an identity assertion token includes to: 
access, with the computing service, the identity assertion token according to an entry in a configuration file in the container (fig 3,para 52, Once the application token has been generated, then the application token can be provided to the application in the container); 
transmit, from the computing service, the authentication request for the security token to the authentication service, the authentication request including the accessed identity assertion token (para 52, Once the application token has been generated, then the application token can be provided to the application in the container); 
receive, from the authentication service, the requested security token; and 
authenticate, with the received security token (para 52, Once the application token has been generated, then the application token can be provided to the application in the container),  The containers can be fixed to a particular host or can be configured by the platform to be capable of being moved, for example for load balancing, across the set of hosts 1-N,
 the computing device to the other computing services in the distributed computing system (para 41).

Response to Arguments

Applicant's arguments filed 07/14/2022 have been fully considered but they are not persuasive, therefore rejections to claims 1-2, and 6-20 is maintained.

In the remarks applicants argued that:

Argument: Brown does not disclose receiving, at the authentication service, data representing an authentication request from a computing service for a security token configured to authenticate the computing service to other computing services in the distributed computing system, the authentication request including token previously issued by the authentication service to an application executed in a container on a server, wherein the identity assertion token includes a digital data package that contains security credentials for an application identity under which the application is executed to provide the computing service.
Response: Brown discloses  receiving, at the authentication service, data representing an authentication request from a computing service for a security token (para 44, application token) configured to authenticate the computing service to other computing services in the distributed computing system (fig 2, para 44-45, receiving a request for a application token from an application based on a previously issued and verified caller token), the authentication request including token (para 44-45, authentication/caller token) previously issued by the authentication service to an application executed in a container on a server (fig 2, para 44-45, receiving a request for a application token from an application based on a previously issued and verified caller token), wherein the identity assertion token includes a digital data package (para 21, A token is a security credential that is compact and a self-contained way for securely proving one's identity electronically) that contains security credentials for an application identity under which the application is executed to provide the computing service (fig 2, para 44, The application token 215 may be issued only after authentication of the caller token or similar authorization is obtained.). Krishna discloses identity assertion token (535, fig 5,col 8, lines 46-57, claim 7). Please see the motivation above (para 7).

Argument: Brown does not disclose transmitting, to the computing service, the requested security token, thereby allowing the computing service to authenticate to 
other computing services in the distributed computing system without 
using digital certificates (para 48,51-52, The container manager can enforce policies of the virtualization platform as they pertain to the creation of application tokens. The policies can define the type and scope of authorization sets to be given to the application tokens. In some example embodiments, the policies can restrict the authorization set to a subset of the authorization set of the caller. In some embodiments, the policies may include permissions in the authorization set that are not permitted to the caller, no use of digital certificate).
Response: Brown discloses transmitting, to the computing service, the requested security token (para 44-45, Application token, (fig 2, para 44-45, receiving a request for a application token from an application based on a previously issued and verified caller token), thereby allowing the computing service to authenticate to other computing services in the distributed computing system without using digital certificates (para 48,51-52, The container manager can enforce policies of the virtualization platform as they pertain to the creation of application tokens. The policies can define the type and scope of authorization sets to be given to the application tokens. In some example embodiments, the policies can restrict the authorization set to a subset of the authorization set of the caller. In some embodiments, the policies may include permissions in the authorization set that are not permitted to the caller, no use of digital certificate).
Argument: Regarding claim 6 and 14, Brown does not disclose receiving, at a container manager on a server in the distributed computing system , data representing a command to instantiate a computing service in a container on the server, the container being managed by the container manager.
Response:  Brown discloses receiving (301, fig 3, receiving step), at a container manager on a server in the distributed computing system (209, container manager, fig 2, Para 44-45,  The application 213 is to run in the created container 211 and is issued an application token 215 that can be used by the application 213 to make requests through the secure API 207. The application token 215 may be issued only after authentication of the caller token or similar authorization is obtained.), data representing a command to instantiate a computing service in a container on the server, the container being managed by the container manager (301,209,213, fig and  fig 3, see also para 29).

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOHAMMAD A SIDDIQI/           Primary Examiner, Art Unit 2493