Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on August 24, 2021 has been entered.

Response to Arguments
Applicant’s arguments, see pages 8-10, filed on August 10, 2021, with respect to the rejections of claims 1-2, 4-12 and 14-22 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground of rejection is made over Benantar US 20030130947 in view of Linnakangas et al. US 9319396.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-12 and 14-22 are rejected under 35 U.S.C. 103 as being unpatentable over  Benantar US 20030130947 in view of Linnakangas et al. US 9319396.

As per claim 1:
Benantur discloses a method for controlling, by a network control apparatus of a computerised network system, trust relationships between entities capable of communicating with each other in the computerised network system, the method comprising:
determining, by the network control apparatus ([093]: the responsibility for managing the trust relation information for a particular trust web is delegated to a central trust web agent. FIG. 8A shows a trust web from the limited perspective of central trust web agent 802, which is connected to a set of certificate authorities), an existing chain of trust relationships from a first entity via at least one intermediate entity to a second entity, wherein the first entity, the second entity, and the at least one intermediate entity each provide a separate node in the determined existing chain of trust relationships ([0038] Certificates are issued by certificate authorities. A certificate authority (CA), also known as a certification authority or a certifying authority, is an entity, usually a trusted third party to a transaction, that is trusted to sign or issue certificates for other people or entities. The certificate authority usually has some kind of legal responsibilities for its vouching of the binding between a public key and its owner that allow one to trust the entity that signed a certificate. There are many such certificate authorities, such as VeriSign, Entrust, etc. These authorities are responsible for verifying the identity and key ownership of an entity when issuing the certificate. [0041, 0043]: X.509 Standard and infrastructure to define certifications. [0049-0050] Over time, trust relationships are established between certificate authorities, which are infrequent events. These trust relationships are then used by two entities that desire to engage in a secure transaction or communication using the PKI infrastructure, which is a frequent event. The two entities exchange digital certificates, thereby providing the other entity with a public key (or with information to retrieve a public key) that is used during the secure transaction or communication. Each entity must then validate the other entity's digital certificate, and the validation process involves two primary procedures:  trust path construction and trust path verification). A trust path can be considered as a chain of individual links between trusted entities; each link between entities is represented by a digital certificate. Trust path construction consists of computing a chain of certificates from the certificate authority that is trusted by a first entity to the certificate authority that is trusted by a second entity. The result of constructing a trust path shows that a potentially trustable relationship exists between the first entity and the second entity.
creating, by the network control apparatus ([093]: the responsibility for managing the trust relation information for a particular trust web is delegated to a central trust web agent. FIG. 8A shows a trust web from the limited perspective of central trust web agent 802) and based on the determined existing chain of trust relationships from the first entity via the at least one intermediate entity to the second entity ([0053-005, 0057]: a link between trusted entities; trust path or chain of trust through certificate authority  and the certificates stored within LDAP directories; [0058-0059]: Peer-to-peer cross-certification model for entities within a PKI-enabled system, certificate authorities cross-certify each other, which gives rise to a mesh of possible trust paths. Cross-certifying entities may use specially designated cross-certification certificates or specially designated data fields within typical certificates. A validation application may walk across horizontal or peer relationships between entities. Certifying authorities 311-315 have previously established a mesh of trust relationships ), at least one secured direct trust relationship between the first entity and the second entity, wherein the created at least one secured direct trust relationship between the first entity and the second entity provides a shorter chain of trust relationships via fewer intermediate entities than the determined existing chain of trust relationships from the first entity via the at least one intermediate entity to the second entity ([0070-0073]: The transitive closure represents whether there is a path, i.e. set of edges, through the directed graph for any two nodes in the directed graph. A transitive closure computation can be applied to a trust web. The output of a transitive closure computation represents whether or not an established trust path exists between two certificate authorities that are involved in a certificate validation process; this output information may be termed "inter-CA trust path indicator information" as it quickly indicates whether or not a trust path exists between two certificate authorities. The result of the transitive closure computation is then stored in an appropriate format, e.g., a simple file containing the matrix, one or more database records, or some other format. An "all pairs shortest paths" computation is then performed on the adjacency matrix. The shortest paths that are discovered during the "all pairs shortest paths" computation are then stored in an appropriate format, e.g., a simple file containing a set of paths, a set of files containing a vector representing a path, a set of linked list data structures, a set of one or more database records, or some other format.  [0078-0079] When "all pairs shortest paths" computation is performed, one can interpret the result as the shortest distance or "shortest path" between each pair of nodes. And Also "all paths lowest costs" in which "costs" is also given the generalized definition of "use of resources". A "single source shortest path" computation by starting at a particular node and then repeating the computation by starting at each node in turn is more efficient for computing the "all pairs shortest paths" problem, also known as the "multiple source shortest paths" problem).
Benantur further discloses ([0081- 0082]: The validation of a certificate comprises the procedures of trust path construction and then trust path verification. Since the verification costs for a trust path through a set of certificates is directly related, i.e. varies linearly, with the number of certificates to be verified, when one uses the shortest path that was previously constructed with the present invention in subsequent verification processes, one is implicitly using the least amount of computational resources during the verification process. [0084, 0095] A vector that represents the actual path along the nodes whose intermediary edges have produced the lowest cost, i.e. shortest path or "distance", for a given pair of nodes; over multiple pairs of nodes, multiple sets of paths can be produced with one set of paths for each pair of nodes) and wherein the created at least one secured direct trust relationship is secured based on security credentials comprising at least one of a key or a certificate, and causing, by the network control apparatus, storing information of the created at least one secured direct trust relationship between the first entity and the second entity in a database of trust relationships ([0097-0099]:  A central trust web agent generates and disseminates trust web information to certificate authorities within a trust web. The process begins when the trust web agent receives a trust relation update message from a certificate authority, and the trust relation within the receive message is added or deleted from the current set of trust relations that is maintained by the central trust web agent. The trust web agent then performs the transitive closure computation and also the "all pairs shortest paths" computation, after which it can store the information for later use. By comparing the newly generated transitive closure information and shortest path information with the previously generated information, the central trust web agent can determine which certificate authorities have been affected by the most recent trust relation update. Hence, the central trust web agent can communicate the appropriate updated information to the affected certificate authorities, thereby completing the process from the perspective of the central trust web agent).
Benantur does not explicitly disclose the secured direct trust relationship is secured based on security credentials is according to a security protocol. Linnakangas, in analogous art however, discloses the secured direct trust relationship is secured based on security credentials is according to a security protocol (Column 5: lines 3-8: The security protocol can be, for example, any version of SSH (Secure Shell), any version of SSL (Secure Sockets Layer), any version of TLS (Transport Layer Security), any version of Secure Telnet, SFTP (SSH File Transfer Protocol), or FTPS (FTP over TLS/SSL), or a variant or further development of those or similar protocols without having a material impact on the applicability of the present invention. Column 7: lines 5-10: Scanning can happen at regular intervals, once, or it can be triggered manually, or it can be triggered by observed security protocol connections or changes in dynamic trust relationships. For example, observing a connection from a host to another host authenticating a user with a specific public key, represented by its fingerprint, can trigger a localized scanning of only those locations on the destination host that are known to possibly contain access-granting public keys for that user. Column 11: At least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device; Information for use in determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device is then stored at 1104).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the secured direct trust relationship disclosed by Benantur to include the secured direct trust relationship is secured based on security credentials is according to a security protocol.  This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to determine trust relationship and identify a successful login to a first host device from a second host device using a public key identified by a fingerprint for authentication based on log information conveyed from the first host device when it is determined that at least one of the first host device and the second host device is not being managed by a management system, and a database is then updated to record that a key identified by the fingerprint is used outside the environment managed by the management system as suggested by Linnakangas (column 2: lines 10-20, 32-39)

As per claim 2:
Benantur and Linnakangas disclose routing data between the first entity and the second entity according to the created at least one secured direct trust relationship (Benantur [0078 -0079]: The weights of the edges in this type of adjacency matrix might represent distance along a given route or travel time along a given route, which might not be directly related to the distance along a given route because of many non-linear factors. The weights that are assigned to the edges of a graph can be interpreted as distances between the nodes. Hence, when the "all pairs shortest paths" computation is performed, one can interpret the result as the shortest distance or "shortest path" between each pair of nodes; [0097-0099]).

As per claim 4:
Benantur and Linnakangas disclose continuing storing information of the existing chain of trust relationships in the database after the creation of the at least one secured direct trust relationship (Benantur [0072-0073]: The result of the transitive closure computation is then stored in an appropriate format, e.g., a simple file containing the matrix, one or more database records, or some other format; [0097-0099]).

As per claim 5:
Benantur and Linnakangas discloses replacing information of the existing chain of trust relationships by the information of the created at least one secured direct trust relationship (Benantur [0097-0099]:  A central trust web agent generates and disseminates trust web information to certificate authorities within a trust web. The process begins when the trust web agent receives a trust relation update message from a certificate authority, and the trust relation within the receive message is added or deleted from the current set of trust relations that is maintained by the central trust web agent. The trust web agent then performs the transitive closure computation and also the "all pairs shortest paths" computation, after which it can store the information for later use. By comparing the newly generated transitive closure information and shortest path information with the previously generated information, the central trust web agent can determine which certificate authorities have been affected by the most recent trust relation update. Hence, the central trust web agent can communicate the appropriate updated information to the affected certificate authorities, thereby completing the process from the perspective of the central trust web agent).

As per claim 6:
Benantur and Linnakangas displaying a graphical presentation comprising the created at least one secured direct trust relationship (Linnakangas : Column 12: lines 60-65: a computer can be configured to analyze dynamic and static trust relationships obtained by any of the aforementioned methods, to calculate, derive, or estimate metrics and to make them available to users or computer services in human-readable form, such as text files, graphical plots, or spreadsheets, or computer-readable formats, such as database rows, XML files, plain text files, or binary encoded files).

As per claim 7:
Benantur and Linnakangas discloses determining whether at least a part of the existing chain of trust relationships can be replaced by a secured direct trust relationship (Benantur [0097-0099]:  A central trust web agent generates and disseminates trust web information to certificate authorities within a trust web. The process begins when the trust web agent receives a trust relation update message from a certificate authority, and the trust relation within the receive message is added or deleted from the current set of trust relations that is maintained by the central trust web agent. The trust web agent then performs the transitive closure computation and also the "all pairs shortest paths" computation, after which it can store the information for later use. By comparing the newly generated transitive closure information and shortest path information with the previously generated information, the central trust web agent can determine which certificate authorities have been affected by the most recent trust relation update. Hence, the central trust web agent can communicate the appropriate updated information to the affected certificate authorities, thereby completing the process from the perspective of the central trust web agent).

As per claim 8:
Benantur and Linnakangas discloses determining that the existing chain of trust relationships violates a policy, a rule, or a setting, and in response thereto replacing at least a segment of the existing chain of trust relationships with a secured direct trust relationship between end nodes of the segment (Benantur [0057], [0062]: establishing and revoking trust relationships. [0064] Some entities within a system may deem that they want to control transitive trust relationships such that trust is not extended "too far" or to certain entities, particularly within a cross-certification model. Hence, path constraints, name constraints, and policy constraints may be employed when constructing and/or verifying a trust path).

As per claim 9:
Benantur and Linnakangas discloses selectively creating a secured direct trust relationship between the first entity and the second entity, the selectively creating comprising taking into account at least one of: potential consequences of deletion of at least one trust relationship of the existing chain of trust relationships, data traffic through at least one node associated with the existing chain of trust relationships, a policy, a rule, or a setting relating to trust relationships, input via a user interface, encryption keys used in association with the existing chain of trust relationships, one or more encryption algorithms used in association with the existing chain of trust relationships, an approver of at least one trust relationship of the existing chain of trust relationships, identities of users, hosts, hosts groups, and/or other nodes associated with the existing chain of trust relationships, security credentials used for the existing chain of trust relationships, validity of security credentials used for the existing chain of trust relationships, a number of hops between nodes in the existing chain of trust relationships, whether enumerated nodes are associated with the existing chain of trust relationships, a maximum validity period of trust relationships in the existing chain of trust relationships, a number of users of a node in the existing chain of trust relationships, a number of incoming and/or outgoing trust relationships into and/or out from one or more nodes in the existing chain of trust relationships, sameness of trust relationships in the existing chain of trust relationships, a source of originating user identity information, or software products used in nodes associated with the existing chain of trust relationships (Benantur [0054]: Select from Trust Models, [0073]: a set of files containing a vector representing a path, a set of linked list data structures).

As per claim 10:
Benantur and Linnakangas discloses decrypting by an intermediate apparatus at least a part of communications between the first entity and the second entity (Benantur [0034] Within a public key cryptography system, since all communications involve only public keys and no private key is ever transmitted or shared, confidential messages can be generated using only public information and can be decrypted using only a private key that is in the sole possession of the intended recipient. Furthermore, public key cryptography can be used for authentication, i.e. digital signatures, as well as for privacy, i.e. encryption.  A sender uses a public key to encrypt data, and the receiver uses a private key to decrypt the encrypted message. [0044]: An entity that receives digital certificate 216 may verify the signature of the certificate authority by using CA public key 212, which is published and available to the verifying entity).

As per claim 21
Benantur and Linnakangas discloses wherein each of the first entity, the at least one intermediate entity, and the second entity comprises a device that uses at least one of a key managed by a key manager or a certificate issued by a certificate authority (Benantur [0076-0081]: inter-CA trust path indicators; All pair shortest paths; [0095]).

As per claim 22:
Benantur and Linnakangas discloses using the created at least one secured shorter direct trust relationship between the first entity and the second entity instead of the existing chain of trust relationships and the created at least one secured shorter direct trust relationship between the first entity and the second entity is independent of the at least one intermediate entity (Benantur [0076-0081]: inter-CA trust path indicators; All pair shortest paths; [0095]).

As per claims 12, 14-19:
Claims 12, 14-19 are directed to a network apparatus for controlling trust relationships between entities communicating in a network, the network apparatus comprising at least one processor, and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to cause the network apparatus to perform features having substantially similar corresponding limitations of claims 1, 4-8 and 10 respectively and therefore claims 12, 14-19 are rejected with the same rationale given above to reject claims 1, 4-8 and 10 respectively.

As per claim 20:
Claim 20 is directed to one or more non-transitory computer readable media storing instructions that, when executed, cause a processor of a network apparatus to perform a trust relationship control method for controlling trust relationships between entities communicating in a computerized network, the method performed having substantially similar corresponding limitations of claim 1 and therefore claim 20 is rejected with the same rationale given above to reject claim 1.

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

Contact In formation

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494