Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to applicant’s Claims filed on 12/31/2020 for Application #17/139,198 filed on 12/31/2020 in which Claims 1-20 are presented for examination.

Status of Claims
Claims 1-20 are pending, of which Claims 1-20 are considered allowable via Examiner’s Amendment.

Applicant’s Most Recent Claim Set of 12/31/2020
Applicant’s most recent claim set of 12/31/2020 is considered to be the latest claim set under consideration by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in a telephone interview with Matthew Williams on September 9, 2022.

The application has been amended as follows:

In the Claims:

Claim 1: (Currently Amended):
A computer-implemented method, comprising:

obtaining by a key management service of a computing resource service provider, a request cryptographic operation using a cryptographic key that is managed by the key management service, the request associated with an entity;
determining that a grant from a customer of the computing resource service provider specifies: (1) that the entity is authorized to perform the cryptographic operation, and (2) a rate limit for cryptographic operations that may be performed using the cryptographic key, the rate limit indicating at least an amount of cryptographic operations that may performed with the cryptographic key; and

as a result of determining, by the key management service, that the request complies with the rate limit, performing the cryptographic operation




Claim 2: (Currently Amended):
The computer-implemented method of claim 1, 
wherein performing the cryptographic operation includes performing [[the]] a decryption operation on data of the customer that is managed by the computing resource service provider to obtain decrypted data



providing, through a generated response, the decrypted data.


Claim 3: (Currently Amended):
The computer-implemented method of claim 1, further comprising:
obtaining by the key management service of a computing resource service provider, an other request to perform an other cryptographic operation using the cryptographic key; and
determining, based at least in part on the rate limit, to deny the other request






Claim 4: (Currently Amended):
The computer-implemented method of claim 1, further comprising: 



as result of a determination that [[the]] a challenge response provided by the of the entity is valid, performing the cryptographic operation.


Claim 5: (Currently Amended):
A system, comprising:
one or more processors; and
memory including instructions that, as a result of being executed by the one or more processors, cause the system to:
obtain by a key management service of a computing resource service provider, a request to using a cryptographic key that is managed by the key management service, the request associated with an entity;
determinethat a grant from a customer of the computing resource service provider specifies: (1) that the entity is authorized to perform the cryptographic operation, and (2) a rate limit for cryptographic operations that may be performed using the cryptographic key, the rate limit indicating at least an amount of cryptographic operations that may be performed with the cryptographic key;


as a result of determining, at least in part by the key management service, that the request complies with the rate limit, perform the cryptographic operation.


Claim 6: (Currently Amended):
The system of claim 5, wherein the delegates a permission entity to utilize the cryptographic key to perform a set of cryptographic operations 


Claim 7: (Currently Amended):
The system of claim 5, wherein the instructions further cause the system to:
use the cryptographic key to decrypt data, and
wherein: 
the cryptographic key includes a plurality of cryptographic keys; 
the grant from the customer of the computing resources service provider specifies that the entity is authorized to perform the cryptographic operation includes specifying that the entity is authorized to cause the cryptographic operation to be performed on data stored within a computing resource service provided by the computing resource service provider; and
perform the cryptographic operation includes causing the cryptographic operation to be performed on the data stored within the computing resource service provided by the computing resource service provider   







Claim 8: (Currently Amended):
The system of claim 5, wherein 


the grant from the customer of the computing resource service provider specifies the rate limit for cryptographic operations that may be performed using the cryptographic key by the rate limit being associated with the cryptographic key that is associated with the entity 


Claim 9: (Currently Amended):
The system of claim 5, wherein the grant is from the customer by the rate limit specified by the grant being associated with the customer





Claim 10: (Currently Amended):
The system of claim 5, wherein the instructions further cause the system to:
evaluate the grant and determine that the rate limit applies to the request;
perform the cryptographic operation to obtain output data;


provide, in [[the]] a generated response, the output data 


Claim 11: (Currently Amended):
The system of claim 5, wherein the instructions further cause the system to:
implement a token data container for the grant; and
determine whether the token data container has a token available for use


	
	
	


Claim 12: (Currently Amended):
The system of claim [[5]] 11, wherein the instructions further cause the system to:
determinethat a token required to perform the cryptographic operation is available from a token container;


provide, through [[the]] a generated response, output data generated as a result of performance of the cryptographic operation.


Claim 13: (Currently Amended):
A non-transitory computer-readable storage medium including stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
obtain, by a key management service of a computing resource service provider, a request to [[use]] perform a cryptographic using a cryptographic key that is managed by the key management service, the request associated with an entity 
determine that a grant from a customer of the computing resource service provider specifies: (1) that the entity is authorized to perform the cryptographic operation, and (2) a rate limit for cryptographic operations that may be performed using the cryptographic key, the rate limit indicating at least an amount of cryptographic operations that may be performed with the cryptographic key;
as a result of determining, by the key management service, that the request complies with the rate limit, performing the cryptographic operation




Claim 14: (Currently Amended):
The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to[[:]]
as a result of a determination that the request exceeds the rate limit, throttle access to the cryptographic key of the entity 







Claim 15: (Currently Amended):
The non-transitory computer-readable storage medium of claim 13, wherein 





the request indicates an identifier for the cryptographic key, an identifier for the grant, or an identifier for the entity.


Claim 16: (Currently Amended):
The non-transitory computer-readable storage medium of claim  13, wherein 




the grant specifies that the entity is authorized to perform the cryptographic operation by including an identification of the entity.


Claim 17: (Currently Amended):
The non-transitory computer-readable storage medium of claim 13, wherein 





grant indicates that the entity has a permission to decrypt particular data 


Claim 18: (Currently Amended):
The non-transitory computer-readable storage medium of claim 13, wherein the instructions further cause the computer system to:
obtain, in response to the request, [[a]] the grant, wherein the grant specifies a permission delegated to the entity to utilize the cryptographic key to perform a set of cryptographic operations that is further specified by the grant; and
evaluate the grant to determine that the usage rate limitation is specified for the cryptographic key.


Claim 19: (Currently Amended):
The non-transitory computer-readable storage medium of claim  13, wherein the entity includes a group of users or a principal of the grant 






Claim 20: (Currently Amended):
The non-transitory computer-readable storage medium of claim 13, wherein: 



the cryptographic key includes a plurality of cryptographic keys; 
the grant from the customer of the computing resources service provider specifies that the entity is authorized to perform the cryptographic operation includes specifying that the entity is authorized to cause the cryptographic operation to be performed on data; and
perform the cryptographic operation includes causing the cryptographic operation to be performed on the data.


Reasons For Allowance
The following is an examiner’s statement of reasons for allowance:
Claims 1-20 are considered allowable.

The instant invention is directed to a method, a system, and a medium for providing the limiting of the rate of access to cryptographic keys that can be used to decrypt data that is protected using the cryptographic keys.

The closest prior art, as recited, Starr et al. US Patent Application Publication No. 2011/0078457 and Inoue et al. US Patent Application Publication No. 2009/0232312, are also generally directed to various aspects of providing the limiting of the rate of access to cryptographic keys that can be used to decrypt data that is protected using the cryptographic keys.  However, Starr et al. or Inoue et al. does not teach or suggest, either singularly or in combination, the particular combination of steps or elements as recited in the independent claim(s) 1, 5, 13.  For example, none of the cited prior art teaches or suggests the steps of:
Regarding Claim 1:
A computing resource service provider’s key management service receives a request from an entity to utilize a specific cryptographic key managed by the computing resource service provider’s key management service to execute specific cryptographic procedures, identifying that a grant from a customer of the computing resource service provider has specified that the entity has been authorized to execute the specific cryptographic procedures and that the grant from the customer of the computing resource service provider has also specified a rate limit of an amount of cryptographic procedures that are allowed to be executed with the specific cryptographic key, determining by the computing resource service provider’s key management service that the request from the entity complies with the rate limit specified by the grant, and if so allowing the execution of the cryptographic procedures with the specific cryptographic key.
When combined with the additional limitations found in Claim 1.

Regarding Claim 5:
A computing resource service provider’s key management service receives a request from an entity to utilize a specific cryptographic key managed by the computing resource service provider’s key management service to execute specific cryptographic procedures, identifying that a grant from a customer of the computing resource service provider has specified that the entity has been authorized to execute the specific cryptographic procedures and that the grant from the customer of the computing resource service provider has also specified a rate limit of an amount of cryptographic procedures that are allowed to be executed with the specific cryptographic key, determining by the computing resource service provider’s key management service that the request from the entity complies with the rate limit specified by the grant, and if so allowing the execution of the cryptographic procedures with the specific cryptographic key.
When combined with the additional limitations found in Claim 5.

Regarding Claim 13:
A computing resource service provider’s key management service receives a request from an entity to utilize a specific cryptographic key managed by the computing resource service provider’s key management service to execute specific cryptographic procedures, identifying that a grant from a customer of the computing resource service provider has specified that the entity has been authorized to execute the specific cryptographic procedures and that the grant from the customer of the computing resource service provider has also specified a rate limit of an amount of cryptographic procedures that are allowed to be executed with the specific cryptographic key, determining by the computing resource service provider’s key management service that the request from the entity complies with the rate limit specified by the grant, and if so allowing the execution of the cryptographic procedures with the specific cryptographic key.
When combined with the additional limitations found in Claim 13.

Therefore Claims 1-20 of the instant application are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sauerwald et al - US_20120288089: Sauerwald et al teaches utilizing rate limitation as a basis for key generation.
Kumar et al - US_20090164632: Kumar et al teaches rate limitation of key utilization.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRADLEY HOLDER whose telephone number is 571-270-3789.  The examiner can normally be reached on Monday-Friday 10:00AM-7:00PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw, can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/BRADLEY W HOLDER/
Primary Examiner, Art Unit 2498