DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
1. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2. 	This is the initial office action that has been issued in response to patent application, 17/197,886, filed on 03/10/2021 Claims 1-20 are currently pending and have been considered below. Claims 1, 13 and 19 are independent claims. 

Priority
3. 	The application claims priority of provisional application PRO 63/029,902 filed on 05/26/2020.

Drawings
4. 	The drawings file on 03/10/2021 are accepted by the examiner. 

Information Disclosure Statement
5. 	The information disclosure statements (IDS’s) submitted on 03/10/2021 are in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement. 

Claim Rejections - 35 USC § 102

7. 	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.



8. 	Claims 1, 3-7, 10-14 and 16-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Jain (US Patent Publication No. US 2020/0162454 A1).

9. 	Regarding Claim 1, Jain  discloses, a method of establishing a future 2-way authentication between a client application and an application server, the method comprising: receiving, at an OpenID connect (OIDC) server, from a client application, a request to establish a secure connection from the client application, the request including: (a) a certificate generated using a public-private key pair associated with the client application or a user of the client application and (b) authentication credentials associated with the client application or the user of the client application (Jain, [0110], Authorization code flows may be associated with the Open ID Connect (OIDC) authentication layer, which may be on top of the OAuth 2.0 authentication framework. In an authorization code flow, a relying party may indicate that it wants to authenticate to an identify provider.  [0052], Client agent 304 may also call supporting services on gateway server 306, which may produce input material to derive encryption keys for the local data vaults 316, or may provide client certificates which may enable direct authentication to PKI protected resources. [0061], SSL certificate validation may be operable so the application specifically validates the server SSL certificate instead of it being stored in the keychain. [0010], authentication process may gather user credentials); 
determining, at the OIDC server, whether the authentication credentials are valid (Jain, [0103], The session manager may establish a session with client device 505 based on confirming the validity of the authentication token.); 
establishing, at the OIDC server, that the authentication credentials are valid, and responsively provisioning a cryptographic identifier of the certificate associated with the request to a list of trusted certificates (Jain, [0103], a session with client device 505 based on confirming the validity of the authentication token.); 
and providing, at the OIDC server, one or more application servers with access to the list of trusted certificates to enable the one or more application servers to authenticate the client application based on verifying that the cryptographic identifier of the certificate presented by the client application is provisioned into the list of trusted certificates(Jain, [0075], Trusted managed applications 310 of an enterprise may be allowed to perform specific Public Key operations with an application’s client certificate and private key. Various use cases may be identified and treated accordingly, such as if or when an application behaves like a browser and no certificate access is required).  

10. 	Regarding Claim 3, Jain discloses, the method of claim 1, wherein the cryptographic identifier of the certificate is one of a certificate fingerprint or the public key of the certificate (Jain, [0075], Trusted managed applications 310 of an enterprise may be allowed to perform specific Public Key operations with an application’s client certificate).  

11. 	Regarding Claim 4, Jain discloses, the method of claim 3, wherein when the cryptographic identifier of the certificate is the certificate fingerprint, the method further comprising: authenticating the client application at the one or more application servers based on verifying that the certificate fingerprint of the certificate presented by the client application is provisioned into the list of trusted certificates(Jain, [0081], Authentication system 420 may issue an authentication token to an authenticated user (e.g., a user that successfully authenticates with a federated identity provider) as a result of successfully completing an authentication procedure (e.g., logging in) in the enterprise network. In one example, users of client devices may log into a virtualized, cloud-based environment using their existing authentication credentials, which may be a username and password, biometric measurement (e.g., fingerprint scan, retina scan, facial recognition, voice recognition, etc.), entering an access code provided to a specified user device (e.g., the user’s smartphone may receive a message containing a code to enter into a portal provided by the relying party), or any other authentication means for access to the enterprise network. In response to the successful logging in of the user device, authentication system 420 may issue an authentication token for the authenticated user).  

12. 	Regarding Claim 5, Jain discloses, the method of claim 3, wherein when the cryptographic identifier of the certificate is the public key of the certificate, the method further comprising: authenticating the client application at the one or more application servers based on cryptographically verifying possession of the private key corresponding to the public key used to sign the certificate associated with the request received at the OIDC server(Jain, [0075], In some cases, managed applications 310 may be allowed to access a certificate and private key via an API (for example, OpenSSL). Trusted managed applications 310 of an enterprise may be allowed to perform specific Public Key operations with an application’s client certificate and private key. Various use cases may be identified and treated accordingly).  

13. 	Regarding Claim 6, Jain discloses, the method of claim 1, further comprising: provisioning the cryptographic identifier of the certificate associated with the request to a list of un-trusted certificates when it is established that the authentication credentials are not valid (Jain, [0110], the OAuth authentication framework, and may comprise a resource owner password credentials grant under that framework. But other relying parties may be unable to support resource owner flows, such as where the relying party is an application or service that cannot securely receive user credentials (e.g., an untrusted application)).  

14. 	Regarding Claim 7, Jain discloses, the method of claim 1, further comprising linking a device identifier to the cryptographic identifier of the certificate associated with the request when the cryptographic identifier of the certificate is provisioned to the list of trusted certificates to enable the one or more application servers to authenticate the client application based on (a) verifying that the cryptographic identifier of the certificate presented by the client application is provisioned into the list of trusted certificates and (b) verifying that the client application presenting the cryptographic identifier of the certificate is associated with the device identifier to which the cryptographic identifier of the certificate is linked (Jain, [0075] In some cases, managed applications 310 may be allowed to access a certificate and private key via an API (for example, OpenSSL). Trusted managed applications 310 of an enterprise may be allowed to perform specific Public Key operations with an application’s client certificate and private key. Various use cases may be identified and treated accordingly, such as if or when an application behaves like a browser and no certificate access is required, if or when an application reads a certificate for“who am I,” if or when an application uses the certificate to build a secure session token, and if or when an application uses private keys for digital signing of important data (e.g. transaction log) or for temporary data encryption.).  

15. 	Regarding Claim 10, Jain discloses, the method of claim 1, further comprising: selecting the one or more application servers based on services currently enabled for the client application (Jain, [0048], First server 206a may acquire an enumeration of applications available to the client machine 240 and well as address information associated with an application server 206 hosting an application identified within the enumeration of applications.).  

16. 	Regarding Claim 11, Jain discloses, the method of claim 10, further comprising: determining that a new service is enabled for the client application, and responsively selecting at least one other application server offering the new service (Jain, [0010], Client applications may include, for example, applications on a server accessed by users via a client device. The client applications may provide a service to the user using information and/or functionality provided by network resources and services. The network resources and services may be secured by one or more authentication processes,); 
and providing the at least one other application server with access to the list of trusted certificates to enable the at least one other application server to authenticate the client application based on verifying that the cryptographic identifier of the certificate presented by the client application is provisioned into the list of trusted certificates (Jain, [0052],  from client agent 304, which in turn may request it from gateway server 306. The application management framework 314 may request authentication, and client agent 304 may log into the gateway services part of gateway server 306. Client agent 304 may also call supporting services on gateway server 306, which may produce input material to derive encryption keys for the local data vaults 316, or may provide client certificates which may enable direct authentication. [0068], Another feature may relate to the enablement of a client side certificate for certain applications 310 as secondary credentials).  

17. 	Regarding Claim 12, Jain discloses, the method of claim 10, wherein the one or more application servers includes a video server, a messaging server, or a PTT server (Jain, [0099], OTP server may send an SMS message to a mobile phone associated with the user, and the user may enter a one time code into a page provided by OTP server 447 and/or authentication system 520.).  

18. 	Regarding Claim 13, Jain discloses, a method of establishing a future 2-way authentication between a client application and an application server, the method comprising: obtaining, at the client application, a certificate associated with the client application or a user of the client application (Jain, [0010], client applications may request that the authentication interface authenticate the client device / user based on a combination of Active Directory and One Time Password authentication processes. Client applications may include, for example, applications on a server accessed by users via a client device.); 
transmitting, at the client application, a request to establish a secure connection with an OpenID connect (OIDC) server, the request including the certificate and authentication credentials associated with the client application or the user of the client application (Jain. [0010], client applications may request that the authentication interface authenticate the client device / user based on a combination of Active Directory and One Time Password authentication processes. Client applications may include, for example, applications on a server accessed by users via a client device. The client applications may provide a service to the user using information and/or functionality provided by network resources and services.); 
receiving, at the client application, an OIDC token from the OIDC Server, the OIDC token providing an indication that the client application is successfully authenticated by the OIDC server (Jain, [0110], Authorization code flows may be associated with the Open ID Connect (OIDC) authentication layer, which may be on top of the OAuth 2.0 authentication framework. In an authorization code flow, a relying party may indicate that it wants to authenticate to an identify provider. The identity provider, in the authorization code flow, gathers credentials, authenticates the user, and returns an authorization token and/or code to the relying party. [0105], identity provider servers may issue an evidence of the successful sign-in the format of a SAML token, OpenlD Connect Identity token); 
and transmitting, at the client application, a request to establish a secure connection with an application server, and responsively establishing the secure connection with the application server based on a cryptographic identifier of the certificate being provisioned into a list of trusted certificates by the OIDC server(Jain, [0104], In some instances, when user devices attempt to login using the federated identity services, federated identity provider servers may issue an evidence of the successful sign-in the format of a SAML token, OpenlD Connect Identity token, OAuth Access Token, or other form of token. In particular, such authentication tokens may enable the user devices (such as client device 505) managed by the enterprise server (such as relying party 510) to have single- sign-on access to the third party system using the federated identity service).  

19. 	Regarding Claim 14, Jain discloses, the method of claim 13, wherein when the cryptographic identifier of the certificate is a certificate fingerprint, wherein establishing the secure connection with the application server further comprises: presenting the certificate in the request transmitted to the application server (Jain, [0025], the enterprise server to authenticate using both AD and OTP, the client application may need to generate two separate authentication requests.); 
and responsively receiving successful authorization from the application server based on the application server verifying that a certificate fingerprint of the certificate presented in the request is provisioned into the list of trusted certificates by the OIDC server(Jain, [0081], Authentication system 420 may issue an authentication token to an authenticated user (e.g., a user that successfully authenticates with a federated identity provider) as a result of successfully completing an authentication procedure (e.g., logging in) in the enterprise network. In one example, users of client devices may log into a virtualized, cloud-based environment using their existing authentication credentials, which may be a username and password, biometric measurement (e.g., fingerprint scan, retina scan, facial recognition, voice recognition, etc)).  

20. 	Regarding Claim 16, Jain discloses, the method of claim 13, wherein obtaining the certificate comprises: generating, at the client application, a public-private key pair, wherein the obtained certificate corresponds to a certificate that is self-signed using the public-private key pair (Jain, [0075], In some cases, managed applications 310 may be allowed to access a certificate and private key via an API (for example, OpenSSL). Trusted managed applications 310 of an enterprise may be allowed to perform specific Public Key operations with an application’s client certificate and private key.).  

21. 	Regarding Claim 17, Jain discloses, the method of claim 13, wherein the certificate included in the request to the OIDC server includes a first service identifier associated with the OIDC server and the cryptographic identifier of the certificate presented by the client application to the application server includes a second service identifier associated with the application server (Jain, [0110], Some relying parties may also support resource owner flows, such as where the relying party is an application or service that can securely receive user credentials. Resource owner flows may be associated with the OAuth authentication framework, and may comprise a resource owner password credentials grant under that framework. These other relying parties, unable to support resource owner flows, may instead implement authorization code flows to utilize other systems (such as the authentication systems discussed herein) to implement resource owner flows on their behalf and obtain authentication tokens. Authorization code flows may be associated with the Open ID Connect (OIDC) authentication layer, which may be on top of the OAuth 2.0 authentication framework. In an authorization code flow, a relying party may indicate that it wants to authenticate to an identify provider.).  

22. 	Regarding Claim 18, Jain discloses, the method of claim 13, further comprising: transmitting, at the client application, a second request to establish a secure connection with a second application server by presenting the cryptographic identifier of the certificate associated with the client application or the user of the client application, and responsively establishing a secure connection with the second application server based on the cryptographic identifier of the certificate being provisioned into the list of trusted certificates by the OIDC server, wherein the cryptographic identifier of the certificate presented by the client application to the second application server includes a third service identifier associated with the second application server(Jain, [0114], Authentication system 820 may further operate to translate an authorization code flow to a resource owner flow to federate relying parties that need OIDC authorization code flow where the identity provider supports OAuth resource owner flows. For example, relying party 810, which does not support resource owner flows, my initiate an OIDC authorization code flow 853 to authenticate a user device using authentication system 820 via authentication interface 825. Authentication interface 825 may determine that AD AC-flow plugin 835 corresponds to the request from relying party 810, and may pass the request from relying party 810 to AD AC-flow plugin 835. AD AC-flow plugin 835 supports resource owner flows, and may initiate a resource owner flow 855a or 855b corresponding to the requested authentication process in the authorization code flow received from relying party 810. AD AC-flow plugin 835 may get credentials 854 associated with the user as part of a RO flow, such as by causing a prompt to be generated for the user to provide a user name and password. AD AC-flow plugin 835 may then request authentication of die user device via a resource owner flow suitable for authentication by customer AD server 441.).  



Claim Rejections - 35 USC § 103
23. 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


24. 	Claims 2, 8-9, 15 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Jain (US Patent Publication No. US 2020/0162454 A1) in view of Melo (US Patent Publication No. 10756908 B1).

25. 	Regarding Claim 2, Jain and Melo discloses, 
Jain does not explicitly disclose the following limitations that Melo teaches:
the method of claim 1, wherein the certificate includes (a) a certificate generated by a certificate management function, or (b) a self-signed certificate generated by the client application (Melo, [0046], self-signed certificate are generated with an appropriate app on a first device, such as a mobile phone.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include an application that is self-signed by certificate to enhance security features. 

26. 	Regarding Claim 8, Jain and Melo discloses, the method of claim 7, further comprising: 
Jain does not explicitly disclose the following limitations that Melo teaches: 
de-provisioning the cryptographic identifier of the certificate from the list of trusted certificates in response to receiving a signal indicating that a client device associated with the device identifier is lost, stolen, or replaced (Melo, Col. 7, lines, 52-55, Because each device can operate the user's Personal CA, the chain for which has the same Personal Root Certificate, any device can replace any other lost device by creating a new signing certificate for the replacement device).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to deprovision the identifier within the certificate of the client device when receiving the device the identifier is replaced to enhance security. 

27. 	Regarding Claim 9, Jain disclose, the method of claim 1, further comprising: 
Jain does not explicitly disclose the following limitations Melo teaches:
de-provisioning the cryptographic identifier of the certificate from the list of trusted certificates when the certificate was unused by the client application for a predefined period of time since the cryptographic identifier of the certificate was provisioned into the list of trusted certificates, or when the authentication credentials presented by the client application to establish a connection with the one or more applications servers are invalid (Melo, Col. 21, lines, 9-25,  to obtain additional information from the user, such as name, email address, street address, credit card information, etc. AS 1002 can ping user device 1008 for this information, or simply redirect the account creation page of website server 1004 directly to user device 1008. Successful user identity determination by the webs to server 1004 causes account creation. Then the user-name, password and certificate are entered into the AS's password database 1010 before returning the login acceptance tokens to the user. Account deletions can be administratively handled by invalidating the certificate or by administrative login to AS 1002. Passwords are often limited in length in existing systems. Otherwise, the certificate or its representation could simply replace the password in a user-account using a simple “change password” command, because an affirmative comparison is all that's needed.).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the unused certificates of the client application time since the cryptographic identifier of the certificate to enhance security.

28. 	Regarding Claim 15, Jain discloses, the method of claim 13, and responsively receiving successful authorization from the application server based on the application server cryptographically verifying possession of the private key corresponding to the public key that was used to sign the certificate associated with the request transmitted to the OIDC server(Jain, [0110], Authorization code flows may be associated with the Open ID Connect (OIDC) authentication layer, which may be on top of the OAuth 2.0 authentication framework. In an authorization code flow, a relying party may indicate that it wants to authenticate to an identify                                                 provider. [0076], Trusted managed applications 310 of an enterprise may be allowed to perform specific Public Key operations with an application’s client certificate and private key.).  
Jain does not explicitly disclose the following limitations that Melo teaches:
wherein when the cryptographic identifier of the certificate is the public key of the certificate, wherein establishing the secure connection with the application server further comprises: receiving, at the client application, a challenge from the application server (Melo, Claim 1, issuing a challenge question to the user device, by the verifying party computer, using the intermediate public key to encrypt the challenge question;);  
transmitting, at the client application, to the application server, a response generated using a private key corresponding to the public key that was used to sign the certificate associated with the request sent to the OIDC server (Melo, Col. 2, lines 19-29, Currently, a Public Key Infrastructure (PKI) exists to allow users to verify the identity of a website, to make sure they are communicating with the correct entity. Public/Private key encryption is used for site authentication. A trusted, third-party Certificate Authority (CA) can be used to authenticate the identity of a website. In this process, the owner of a domain generates a public/private key pair. The public key of the website is wrapped in a Certificate Signing Request (CSR) along with other information, and it is signed with the private key. This CSR is submitted to the CA for the creation of a Certificate.); 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the challenge of the application generated a private key of the signed certificate of the OIDC server to enhance security.

29. 	Regarding Claim 19, Jain discloses, an application server, comprising: 
a communications unit(Jain, [0089], communication interfaces.); and an electronic processor communicatively coupled to the communications unit, the electronic processor configured to: receive, via the communications unit, access to a list of trusted certificates from an OIDC server (Jain, [0103], a session with client device 505 based on confirming the validity of the authentication token.); 
receive, via the communications unit, a request from a client application to establish a secure connection, the request including a cryptographic identifier of a certificate associated with the client application or a user of the client application (Jain, [0010], client applications may request that the authentication interface authenticate the client device / user based on a combination of Active Directory and One Time Password authentication processes. Client applications may include, for example, applications on a server accessed by users via a client device. The client applications may provide a service to the user using information and/or functionality provided by network resources and services); 
and establish, via the communications unit, a secure connection with the client application after the verification (Jain, [0077], communication interfaces, and/or the like. [0078] Relying party 410 may be a server that provides services to client device 405, and may be any type of computing device including, for example, a server, computer, laptop, tablet, smartphone, or other device that includes a processor (e.g., computing device 201). Relying party 410 may communicate, via communication interfaces).  
Jain does not explicitly discloses the following limitations that Melo teaches:
verify that the cryptographic identifier of the certificate is provisioned into the list of trusted certificates (Melo, Col. 9, lines 33-36, User Credentials are the presentation of a cryptographically-signed payload, who's signing origins can be traced to possession of the user's Personal Root Certificate private key via a chain-of-trust validation mechanism.); 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the trusted certificate of the cryptographic identifier to enhance security features. 

30. 	Regarding Claim 20, Jain and Melo discloses, the application server of claim 19, wherein the electronic processor is further configured to: 
receive, via the communications unit, a response generated using a private key corresponding to a public key that was used to sign the certificate of the client application (Jain, [0075], In some cases, managed applications 310 may be allowed to access a certificate and private key via an API (for example, OpenSSL). Trusted managed applications 310 of an enterprise may be allowed to perform specific Public Key operations with an application’s client certificate and private key.); 
and establishing, via the communications unit, the secure connection with the client application after cryptographically verifying, from the received response, client application's possession of the private key corresponding to the public key used to sign the certificate (Jain, [0075], Various use cases may be identified and treated accordingly, such as if or when an application behaves like a browser and no certificate access is required, if or when an application reads a certificate for“who am I,” if or when an application uses the certificate to build a secure session token, and if or when an application uses private keys for digital signing of important data (e.g. transaction log) or for temporary data encryption.).
Jain does not explicitly disclose the following limitations that Melo teaches:
transmit, via the communications unit, a challenge to the client application in response to receiving the request from the client application (Melo, Col. 5, lines 66-67, Col. 6, 1-4, a client presents the same certificate and the service validates the certificate chain-of-trust and performs a challenge/response to ensure certificate ownership (with TLS, this is done automatically). Step 2) the service compares the presented certificate with certificates)
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to transmit the challenge of the client application when receiving the request to enhance security.








Conclusion
31. 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner, Art Unit 2433
	
/WASIKA NIPA/Primary Examiner, Art Unit 2433