DETAILED ACTION
This action is in response to the application filed on June 28, 2022. Claims 1-7, 9-14, 16-20 are pending. Claims 1, 3-7, 9, 10-14, 16-20 are amended. Claims 8 and 15 have been canceled. Of such, claims 1-7 represent a system, claim 9-14 represents a method, claims 16-20 represent a computer readable medium directed validating software agents in robotic process automation systems.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see pages 12-15, filed  on June 28, 2022, with respect to the rejections of claims 1-20 in view of Dunjic and Williams have been fully considered and are persuasive.  Therefore the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of Taylor (US 2018/0114000) and Smith (US 2017/0346640).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-14, 16-20 are rejected under 35 U.S.C. 103 as being unpatentable by Taylor, Richard (US 2018/0114000), hereinafter referred to as Taylor, in view of Smith et al. (US 2017/0346640), hereinafter referred to as Smith. 
	Regarding Claim 1, Taylor discloses:
A system comprising: at least one processor programmed or configured to (In ¶ 43, Taylor discloses “Referring to FIG. 1 an embodiment is depicted whereby a server device 101 communicates via a network 102 with a plurality of client devices 104.”): receive, from a client device, an initialization access request for access to an online source of information by an automated software agent of the client device (In ¶ 45, Taylor discloses “In another embodiment it is the client device 104 that initiates the attestation request to the server device 101 so that it may then later prove its authenticity to said server device.”); transmit the private encryption key of the public/private encryption key pair to the automated software agent of the client device (In ¶ 59, Taylor discloses “In block 714, the computing device 102 responds to the request with an attestation based on the group private key 208 for the requested interface.”); receive a first hash value from the automated software agent of the client device, wherein the first hash value is generated using the private encryption key (In ¶ 60 Taylor discloses “An attestation response module 704 receives the incoming fingerprint(s) from a client application device 706. It then selects which particular fingerprints are of relevance based on information such as client device type and operating system and the type of the application that is being attested. See Figure 2, 205.” and in ¶ 65, Taylor further discloses “As discussed, using cryptographic hashing techniques it is reasonable to assume that this fingerprint can only be computed if an untampered version of the code is present in the client device.”); receive a second hash value from the automated software agent of the client device (In ¶ 60, Taylor discloses “An attestation response module 704 receives the incoming fingerprint(s) from a client application device 706. It then selects which particular fingerprints are of relevance based on information such as client device type and operating system and the type of the application that is being attested. See Figure 2, 205.”); determine whether to allow access to the online source of information by the automated software agent based on the first hash value and the second hash value received from the automated software agent of the client device (In ¶ 47, Taylor discloses “The server then checks the fingerprint or other response provided 206 to determine whether the client device software is considered to be authentic… Once the server has checked the authenticity it makes a divergent choice based on the result 207. If the attestation check passes 209 then the requested access to server information is granted.”); process a request to access the online source of information involving the automated software agent of the client device (In ¶ 47, Taylor discloses “After this the process may end 210 or further accesses to sensitive data or services may be required via 211. Further attestation checks may be desirable in this circumstance in case the client software is subject to some malicious attack on its code after the prior attestation check.”),, wherein, when 59V2666.DOCxPage 2 of 16Application No. 17/022,267 Paper Dated: June 28, 2022 In Reply to USPTO Correspondence of March 29, 2022 Attorney Docket No. 08223-2003773 (4612US01)processing the request to access the online source of information, the at least one processor is programmed or configured to: allow the automated software agent to conduct a data transaction involving the online source of information based on determining to allow access to the online source of information by the automated software agent of the client device (In ¶ 47, Taylor discloses “If the attestation check passes 209 then the requested access to server information is granted.”); and store a data record associated with the data transaction involving the online source of information in a data structure (In ¶ 56, Taylor discloses “The results of these system property probes are also returned to the server via the communication 511. This information may then be stored by the attestation server so that it this may be subsequently compared with against other information provided by the remote client device 501. Disparities between these two flows of information may be used to detect certain types of fraud enabled by software running on a client software device. For instance, the software may spoof device ID information in order to try and fool a server application that requests are coming from a different device. This can be detected if the device ID is extracted from the system properties 506 and transmitted independently in the communication 511.” and in ¶ 57, Taylor further discloses “Moreover, the attestation server devices 602 may be shared for the attestation of various different application server devices 601, verifying various distinct applications.”).
Taylor does not explicitly teach the limitation of the private encryption key. 
However, Smith discloses the following limitation:
generate software agent credential data associated with access credentials to the online source of information based on receiving the initialization request (In ¶ 57, Smith discloses “In block 706, the computing device 102 may be provisioned with a group private key 208 for one or more subsystems that the computing device 102 is a member of. The computing device 102 may be provisioned with the group private keys 208, for example, during system integration, when joining a subsystem, during deployment, or at other times. In some embodiments, in block 708 the computing device 102 may execute an enhanced privacy identifier (EPID) join protocol with a group leader to be provisioned with the group private keys 208. ”), wherein the software agent credential data associated with access credentials to the online source of information comprises a private encryption key of a public/private encryption key pair, wherein the private encryption key is assigned to the automated software agent of the client device  (In ¶ 61, Smith discloses “the symmetric session key may be used to protect network communications within the subsystem. The symmetric key exchange may follow multiple potential strategies for provisioning the computing devices 102 with pair-wise session keys. For example, one approach may rely on a key exchange protocol between the computing devices 102, such as Diffie-Hellman key exchange, RSA key exchange, PAKE, or another variety. Continuing that example, each group member computing device 102 may obtain group symmetric keys for message integrity and/or confidentiality by performing a key exchange protocol where the symmetric integrity and/or confidentiality key(s) may be generated by the content originator and wrapped using an RSA or LWE key encryption key (KEK), which is signed using the group private key for either the subsystem (if representing an interface protocol consistent with inter-system semantics) or an object model interface (if representing an interface protocol consistent with intra-system semantics).”) 
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize Smith’s approach of utilizing a private encryption key with Taylor’s approach of attestation as the motivation would be to further protect the secure attestation request over the channel (see Smith ¶ 56).
	Regarding Claim 2, the combination of Taylor and Smith disclose: 
The system of claim 1, wherein, when storing the data record associated with the data transaction involving the online source of information in the data structure, the at least one processor is programmed or configured to: store the data record associated with the data transaction involving the online source of information in a distributed ledger (In ¶ 56, Taylor discloses “The results of these system property probes are also returned to the server via the communication 511. This information may then be stored by the attestation server so that it this may be subsequently compared with against other information provided by the remote client device 501. Disparities between these two flows of information may be used to detect certain types of fraud enabled by software running on a client software device. For instance, the software may spoof device ID information in order to try and fool a server application that requests are coming from a different device. This can be detected if the device ID is extracted from the system properties 506 and transmitted independently in the communication 511.” and in ¶ 57, Taylor further discloses “Moreover, the attestation server devices 602 may be shared for the attestation of various different application server devices 601, verifying various distinct applications.”).
	Regarding Claim 3, the combination of Taylor and Smith disclose: 
The system of claim 1, wherein the at least one processor is further programmed or configured to: store the first hash value with an identifier of the automated software agent of the client device in the data structure (In ¶ 60, Taylor discloses “In the database 703 valid fingerprints for particular applications and platform components are stored.”); and wherein, when determining whether to allow access to the online source of information by the automated software agent of the client device, the at least one processor is programmed or configured to: retrieve the first hash value from the data structure based on the identifier of the automated software agent of the client device  (In ¶ 60, Taylor discloses “The application type information received as part of the attestation response (or known from the context of the original attestation request) is used to ensure that only relevant fingerprints for the correct application type are used. Information about the device operating system and type may also be used to ensure the correct lookup for the correct platform components 708. ”); compare the second hash value received from the automated software agent to the first hash value retrieved from the data structure (In ¶ 60, Taylor discloses “When the relevant fingerprints are extracted 710 they are then compared in the response validation module 709 to determine if the application and/or platform components are authentic.”); and determine to allow access to the online source of information by the automated software agent of the client device based on determining that the Attorney Docket No. 08223-2003773 (4612US01) second hash value received from the automated software agent corresponds to the first hash value retrieved from the data structure (In ¶ 60, Taylor discloses “A response 711 can then be constructed and sent to the attestation server indicating whether the authentication of the remote client code has passed or not”).
	Regarding Claim 4, the combination of Taylor and Smith disclose: 
The system of claim 1, wherein, when receiving the second hash value from the automated software agent of the client device, the at least one processor is programmed or configured to: receive the request to access the online source of information from the automated software agent, wherein the request to access the online source of information includes the second hash value and data associated with the automated software agent of the client device (In ¶ 47, Taylor discloses “This client software may perform any number of logical steps depending both on the purpose of this client software and user interaction until some later point 203 where there is some requirement for sensitive data or a sensitive operation 203 that requires the interaction of the server shown as 101 in FIG. 1….. In response to the attestation request the client sends a response 205 to the requesting server with some response, such as a software code fingerprint, that provides evidence that the code being executed is authentic.”) 
	Regarding Claim 5, the combination of Taylor and Smith disclose:
The system of claim 4, wherein, when determining whether to allow access to the online source of information by the automated software agent of the client device, the at least one processor is programmed or configured to: determine whether to allow access to the online source of information by the automated software agent of the client device based on the first hash value, the second hash value., and data associated with the automated software agent of the client device included in the request to access the online source of information (In ¶ 60, Taylor discloses “When the relevant fingerprints are extracted 710 they are then compared in the response validation module 709 to determine if the application and/or platform components are authentic. A response 711 can then be constructed and sent to the attestation server indicating whether the authentication of the remote client code has passed or not”); and wherein, when processing the request to access the online source of information involving the automated software agent of the client device, the at least one processor is programmed or configured to: allow the automated software agent to conduct the data transaction involving a specific type of data included in the online source of information based on the data associated with the automated software agent of the client device (In ¶ 47, Taylor discloses “If the attestation check passes 209 then the requested access to server information is granted.”). 
	Regarding Claim 6, the combination of Taylor and Smith disclose: 
The system of claim 1, wherein, when receiving the second hash value from the automated software agent of the client device, the at least one processor is programmed or configured to: receive the request to access sensitive data included in the online source of information from the automated software agent, wherein the request to access sensitive data included in the online source of information includes the second hash value  (In ¶ 47, Taylor discloses “This client software may perform any number of logical steps depending both on the purpose of this client software and user interaction until some later point 203 where there is some requirement for sensitive data or a sensitive operation 203 that requires the interaction of the server shown as 101 in FIG. 1….. In response to the attestation request the client sends a response 205 to the requesting server with some response, such as a software code fingerprint, that provides evidence that the code being executed is authentic.”).
	Regarding Claim 7, the combination of Taylor and Smith disclose: 
The system of claim 6, wherein the at least one processor is further programmed or configured to: transmit a challenge question to the automated software agent of the client device (In ¶ 2, Taylor discloses “Challenge-response attestation algorithms may be employed in this scenario to provide a method allowing the client software to attest to its authenticity by calculating a cryptographic fingerprint hash of its executable code.”); and receive a response to the challenge question from the automated software agent of the client device (In ¶ 30, Taylor discloses “In this case both the challenge value and response (i.e. the known good fingerprint) are recorded in the database.”); wherein, when determining whether to allow access to the online source of information by the automated software agent of the client device, the at least one processor is programmed or configured to: determine whether to allow access to the sensitive data included in the online source of information by the automated software agent of the client device based on the first hash value, the second hash value, and the response to the challenge question from the automated software agent of the client device (In ¶ 30, Taylor discloses “When an attestation needs to be performed on a device in the untrusted device set then the same challenge value is provided by the server with the expectation of receiving the same response for the attestation to pass. If it is responds correctly to the challenge with the known good responses then it is assumed that the response to the new randomly generated challenge must also be valid.”)
Regarding Claim 9, Taylor discloses:
A computer-implemented method, comprising: receiving, with at least one processor and from a client device (In ¶ 43, Taylor discloses “Referring to FIG. 1 an embodiment is depicted whereby a server device 101 communicates via a network 102 with a plurality of client devices 104.”):, an initialization access request for access to an online source of information by an automated software agent of the client device (In ¶ 45, Taylor discloses “In another embodiment it is the client device 104 that initiates the attestation request to the server device 101 so that it may then later prove its authenticity to said server device.”); transmitting, with at least one processor, a private encryption key of a public/private encryption key pair to an automated software agent of the client device (In ¶ 59, Taylor discloses “In block 714, the computing device 102 responds to the request with an attestation based on the group private key 208 for the requested interface.”);; receiving, with at least one processor, a first hash value from the automated software agent of the client device, wherein the first hash value is generated using the private encryption key (In ¶ 60 Taylor discloses “An attestation response module 704 receives the incoming fingerprint(s) from a client application device 706. It then selects which particular fingerprints are of relevance based on information such as client device type and operating system and the type of the application that is being attested. See Figure 2, 205.” and in ¶ 65, Taylor further discloses “As discussed, using cryptographic hashing techniques it is reasonable to assume that this fingerprint can only be computed if an untampered version of the code is present in the client device.”); receiving, with at least one processor, a second hash value from the automated software agent of the client device (In ¶ 60, Taylor discloses “An attestation response module 704 receives the incoming fingerprint(s) from a client application device 706. It then selects which particular fingerprints are of relevance based on information such as client device type and operating system and the type of the application that is being attested. See Figure 2, 205.”); determining, with at least one processor, to allow access to the online source of information by the automated software agent based on the first hash value and the second hash value received from the automated software agent of the client device (In ¶ 47, Taylor discloses “The server then checks the fingerprint or other response provided 206 to determine whether the client device software is considered to be authentic… Once the server has checked the authenticity it makes a divergent choice based on the result 207. If the attestation check passes 209 then the requested access to server information is granted.”); processing, with at least one processor, a request to access the online source of information involving the automated software agent of the client device (In ¶ 47, Taylor discloses “After this the process may end 210 or further accesses to sensitive data or services may be required via 211. Further attestation checks may be desirable in this circumstance in case the client software is subject to some malicious attack on its code after the prior attestation check.”),, wherein processing the request to access the online source of information comprises: allowing the automated software agent to conduct a data transaction involving the online source of information based on determining to allow access to the online source of information by the automated software agent of the client device (In ¶ 47, Taylor discloses “If the attestation check passes 209 then the requested access to server information is granted.”); and storing, with at least one processor, a data record associated with the data transaction involving the online source of information in a data structure (In ¶ 56, Taylor discloses “The results of these system property probes are also returned to the server via the communication 511. This information may then be stored by the attestation server so that it this may be subsequently compared with against other information provided by the remote client device 501. Disparities between these two flows of information may be used to detect certain types of fraud enabled by software running on a client software device. For instance, the software may spoof device ID information in order to try and fool a server application that requests are coming from a different device. This can be detected if the device ID is extracted from the system properties 506 and transmitted independently in the communication 511.” and in ¶ 57, Taylor further discloses “Moreover, the attestation server devices 602 may be shared for the attestation of various different application server devices 601, verifying various distinct applications.”).
Taylor does not explicitly teach the limitation of the private encryption key. 
However, Smith discloses the following limitation:
generating, with at least one processor, software agent credential data associated with access credentials to the online source of information based on receiving the initialization request (In ¶ 57, Smith discloses “In block 706, the computing device 102 may be provisioned with a group private key 208 for one or more subsystems that the computing device 102 is a member of. The computing device 102 may be provisioned with the group private keys 208, for example, during system integration, when joining a subsystem, during deployment, or at other times. In some embodiments, in block 708 the computing device 102 may execute an enhanced privacy identifier (EPID) join protocol with a group leader to be provisioned with the group private keys 208. ”), wherein the software agent credential data associated with access credentials to the online source of information comprises a private encryption key 59V2666.DOCxPage 5 of 16Application No. 17/022,267 Paper Dated: June 28, 2022 In Reply to USPTO Correspondence of March 29, 2022 Attorney Docket No. 08223-2003773 (4612US01) of a public/private encryption key pair, wherein the private encryption key is assigned to the automated software agent of the client device  (In ¶ 61, Smith discloses “the symmetric session key may be used to protect network communications within the subsystem. The symmetric key exchange may follow multiple potential strategies for provisioning the computing devices 102 with pair-wise session keys. For example, one approach may rely on a key exchange protocol between the computing devices 102, such as Diffie-Hellman key exchange, RSA key exchange, PAKE, or another variety. Continuing that example, each group member computing device 102 may obtain group symmetric keys for message integrity and/or confidentiality by performing a key exchange protocol where the symmetric integrity and/or confidentiality key(s) may be generated by the content originator and wrapped using an RSA or LWE key encryption key (KEK), which is signed using the group private key for either the subsystem (if representing an interface protocol consistent with inter-system semantics) or an object model interface (if representing an interface protocol consistent with intra-system semantics).”) 
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize Smith’s approach of utilizing a private encryption key with Taylor’s approach of attestation as the motivation would be to further protect the secure attestation request over the channel (see Smith ¶ 56).
Regarding Claim 10, the combination of Taylor and Smith disclose: 
The method of claim 9, wherein storing the data record associated with the data transaction involving the online source of information in the data structure comprises: storing the data record associated with the data transaction involving the online source of information in a distributed ledger (In ¶ 56, Taylor discloses “The results of these system property probes are also returned to the server via the communication 511. This information may then be stored by the attestation server so that it this may be subsequently compared with against other information provided by the remote client device 501. Disparities between these two flows of information may be used to detect certain types of fraud enabled by software running on a client software device. For instance, the software may spoof device ID information in order to try and fool a server application that requests are coming from a different device. This can be detected if the device ID is extracted from the system properties 506 and transmitted independently in the communication 511.” and in ¶ 57, Taylor further discloses “Moreover, the attestation server devices 602 may be shared for the attestation of various different application server devices 601, verifying various distinct applications.”)..
	Regarding Claim 11, the combination of Taylor and Smith disclose: 
The method of claim 9, further comprising: storing the first hash value with an identifier of the automated software agent of the client device in a data structure (In ¶ 60, Taylor discloses “In the database 703 valid fingerprints for particular applications and platform components are stored.”), wherein determining to allow access to the online source of information by the automated software agent of the client device comprises: retrieving the first hash value from the data structure based on the identifier of the automated software agent of the client device (In ¶ 60, Taylor discloses “The application type information received as part of the attestation response (or known from the context of the original attestation request) is used to ensure that only relevant fingerprints for the correct application type are used. Information about the device operating system and type may also be used to ensure the correct lookup for the correct platform components 708. ”); comparing the second hash value received from the automated software agent to the first hash value retrieved from the data structure (In ¶ 60, Taylor discloses “When the relevant fingerprints are extracted 710 they are then compared in the response validation module 709 to determine if the application and/or platform components are authentic.”); and determining to allow access to the online source of information by the automated software agent of the client device based on determining that the second hash value received from the automated software agent corresponds to the first hash value retrieved from the data structure (In ¶ 60, Taylor discloses “A response 711 can then be constructed and sent to the attestation server indicating whether the authentication of the remote client code has passed or not”)
	Regarding Claim 12, the combination of Taylor and Smith disclose: 
The method of claim 9, wherein receiving the second hash value from the automated software agent comprises: receiving a request to access the online source of information from the automated software agent, wherein the request to access the online source of information includes the second hash value and data associated with the automated software agent of the client device (In ¶ 47, Taylor discloses “This client software may perform any number of logical steps depending both on the purpose of this client software and user interaction until some later point 203 where there is some requirement for sensitive data or a sensitive operation 203 that requires the interaction of the server shown as 101 in FIG. 1….. In response to the attestation request the client sends a response 205 to the requesting server with some response, such as a software code fingerprint, that provides evidence that the code being executed is authentic.”)
	Regarding Claim 13, the combination of Taylor and Smith disclose: 
The method of claim 12, further comprising: wherein determining to allow access to the online source of information by the automated software agent of the client device comprises: determining to allow access to the online source of information by the automated software agent of the client device based on the first hash value, the second hash value, and data associated with the automated software agent of the client device included in the request to access the online source of information (IN ¶ 60, Taylor discloses “When the relevant fingerprints are extracted 710 they are then compared in the response validation module 709 to determine if the application and/or platform components are authentic. A response 711 can then be constructed and sent to the attestation server indicating whether the authentication of the remote client code has passed or not”);; and wherein processing the request to access the online source of information involving the automated software agent of the client device comprises: allowing the automated software agent to conduct the data transaction involving a specific type of data included in the online source of information based on the data associated with the automated software agent of the client device (In ¶ 47, Taylor discloses “If the attestation check passes 209 then the requested access to server information is granted.”).
	Regarding Claim 14, the combination of Taylor and Smith disclose: 
The method of claim 9, further comprising: transmitting a challenge question to the automated software agent of the client device (In ¶ 2, Taylor discloses “Challenge-response attestation algorithms may be employed in this scenario to provide a method allowing the client software to attest to its authenticity by calculating a cryptographic fingerprint hash of its executable code.”);; and receiving a response to the challenge question from the automated software agent of the client device  (In ¶ 30, Taylor discloses “In this case both the challenge value and response (i.e. the known good fingerprint) are recorded in the database.”);  wherein determining to allow access to the online source of information by the automated software agent of the client device comprises: determining to allow access to sensitive data included in the online source of information by the automated software agent of the client device based on the first hash value, the second hash value, and the response to the challenge question from the automated software agent of the client device  (In ¶ 30, Taylor discloses “When an attestation needs to be performed on a device in the untrusted device set then the same challenge value is provided by the server with the expectation of receiving the same response for the attestation to pass. If it is responds correctly to the challenge with the known good responses then it is assumed that the response to the new randomly generated challenge must also be valid.”).
Regarding Claim 16, Taylor discloses:
A computer program product, the computer program product comprising at least one non-transitory computer-readable medium including one or more instructions that, when executed by at least one processor (In ¶ 43, Taylor discloses “Referring to FIG. 1 an embodiment is depicted whereby a server device 101 communicates via a network 102 with a plurality of client devices 104.”):, cause the at least one processor to: receive, from a client device, an initialization access request for access to an online source of information by an automated software agent of the client device (In ¶ 45, Taylor discloses “In another embodiment it is the client device 104 that initiates the attestation request to the server device 101 so that it may then later prove its authenticity to said server device.”);59V2666.DOCxPage 8 of 16Application No. 17/022,267 Paper Dated: June 28, 2022In Reply to USPTO Correspondence of March 29, 2022 Attorney Docket No. 08223-2003773 (4612US01)transmit the private encryption key of the public/private encryption key pair to the automated software agent of the client device (In ¶ 59, Taylor discloses “In block 714, the computing device 102 responds to the request with an attestation based on the group private key 208 for the requested interface.”); receive a first hash value from the automated software agent of the client device, wherein the first hash value is generated using the private encryption key (In ¶ 60 Taylor discloses “An attestation response module 704 receives the incoming fingerprint(s) from a client application device 706. It then selects which particular fingerprints are of relevance based on information such as client device type and operating system and the type of the application that is being attested. See Figure 2, 205.” and in ¶ 65, Taylor further discloses “As discussed, using cryptographic hashing techniques it is reasonable to assume that this fingerprint can only be computed if an untampered version of the code is present in the client device.”); receive a second hash value from the automated software agent of the client device (In ¶ 60, Taylor discloses “An attestation response module 704 receives the incoming fingerprint(s) from a client application device 706. It then selects which particular fingerprints are of relevance based on information such as client device type and operating system and the type of the application that is being attested. See Figure 2, 205.”); determine whether to allow access to the online source of information by the automated software agent based on the first hash value and the second hash value received from the automated software agent of the client device (In ¶ 47, Taylor discloses “The server then checks the fingerprint or other response provided 206 to determine whether the client device software is considered to be authentic… Once the server has checked the authenticity it makes a divergent choice based on the result 207. If the attestation check passes 209 then the requested access to server information is granted.”); process a request to access the online source of information involving the automated software agent of the client device (In ¶ 47, Taylor discloses “After this the process may end 210 or further accesses to sensitive data or services may be required via 211. Further attestation checks may be desirable in this circumstance in case the client software is subject to some malicious attack on its code after the prior attestation check.”), wherein, when processing the request to access the online source of information, the at least one processor is programmed or configured to: allow the automated software agent to conduct a data transaction involving the online source of information based on determining to allow access to the online source of information by the automated software agent of the client device (In ¶ 47, Taylor discloses “If the attestation check passes 209 then the requested access to server information is granted.”); and store a data record associated with the data transaction involving the online source of information in a distributed ledger (In ¶ 56, Taylor discloses “The results of these system property probes are also returned to the server via the communication 511. This information may then be stored by the attestation server so that it this may be subsequently compared with against other information provided by the remote client device 501. Disparities between these two flows of information may be used to detect certain types of fraud enabled by software running on a client software device. For instance, the software may spoof device ID information in order to try and fool a server application that requests are coming from a different device. This can be detected if the device ID is extracted from the system properties 506 and transmitted independently in the communication 511.” and in ¶ 57, Taylor further discloses “Moreover, the attestation server devices 602 may be shared for the attestation of various different application server devices 601, verifying various distinct applications.”).
Taylor does not explicitly teach the limitation of the private encryption key. 
However, Smith discloses the following limitation:
generate software agent credential data associated with access credentials to the online source of information based on receiving the initialization request (In ¶ 57, Smith discloses “In block 706, the computing device 102 may be provisioned with a group private key 208 for one or more subsystems that the computing device 102 is a member of. The computing device 102 may be provisioned with the group private keys 208, for example, during system integration, when joining a subsystem, during deployment, or at other times. In some embodiments, in block 708 the computing device 102 may execute an enhanced privacy identifier (EPID) join protocol with a group leader to be provisioned with the group private keys 208. ”), wherein the software agent credential data associated with access credentials to the online source of information comprises a private encryption key of a public/private encryption key pair, wherein the private encryption key is assigned to the automated software agent of the client device (In ¶ 61, Smith discloses “the symmetric session key may be used to protect network communications within the subsystem. The symmetric key exchange may follow multiple potential strategies for provisioning the computing devices 102 with pair-wise session keys. For example, one approach may rely on a key exchange protocol between the computing devices 102, such as Diffie-Hellman key exchange, RSA key exchange, PAKE, or another variety. Continuing that example, each group member computing device 102 may obtain group symmetric keys for message integrity and/or confidentiality by performing a key exchange protocol where the symmetric integrity and/or confidentiality key(s) may be generated by the content originator and wrapped using an RSA or LWE key encryption key (KEK), which is signed using the group private key for either the subsystem (if representing an interface protocol consistent with inter-system semantics) or an object model interface (if representing an interface protocol consistent with intra-system semantics).”) 
One in ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to utilize Smith’s approach of utilizing a private encryption key with Taylor’s approach of attestation as the motivation would be to further protect the secure attestation request over the channel (see Smith ¶ 56).
Regarding Claim 17, the combination of Taylor and Smith disclose: 
The computer program product of claim 16, wherein the one or more instructions that cause the at least one processor to receive the 59V2666.DOCxPage 9 of 16Application No. 17/022,267 Paper Dated: June 28, 2022 In Reply to USPTO Correspondence of March 29, 2022 Attorney Docket No. 08223-2003773 (4612US01) second hash value from the automated software agent of the client device, cause the at least one processor to: receive a request to access the online source of information from the automated software agent, wherein the request to access the online source of information includes the second hash value and data associated with the automated software agent of the client device (In ¶ 47, Taylor discloses “This client software may perform any number of logical steps depending both on the purpose of this client software and user interaction until some later point 203 where there is some requirement for sensitive data or a sensitive operation 203 that requires the interaction of the server shown as 101 in FIG. 1….. In response to the attestation request the client sends a response 205 to the requesting server with some response, such as a software code fingerprint, that provides evidence that the code being executed is authentic.”)
	Regarding Claim 18, the combination of Taylor and Smith disclose: 
The computer program product of claim 17, wherein, the one or more instructions that cause the at least one processor to determine whether to allow access to the online source of information by the automated software agent of the client device, cause the at least one processor to: determine whether to allow access to the online source of information by the automated software agent of the client device based on the first hash value, the second hash value, and data associated with the automated software agent of the client device included in the request to access the online source of information (IN ¶ 60, Taylor discloses “When the relevant fingerprints are extracted 710 they are then compared in the response validation module 709 to determine if the application and/or platform components are authentic. A response 711 can then be constructed and sent to the attestation server indicating whether the authentication of the remote client code has passed or not”); and wherein, the one or more instructions that cause the at least one processor to process the request to access the online source of information involving the automated software agent of the client device, cause the at least one processor to: allow the automated software agent to conduct the data transaction involving a specific type of data included in the online source of information based on the data associated with the automated software agent of the client device (In ¶ 47, Taylor discloses “If the attestation check passes 209 then the requested access to server information is granted.”).
	Regarding Claim 19, the combination of Taylor and Smith disclose: 
The computer program product of claim 16, wherein, the one or more instructions that cause the at least one processor to receive the second hash value from the automated software agent of the client device, cause the at least one processor to: receive a request to access sensitive data included in the online source of information from the automated software agent, wherein the request to access sensitive data included in the online source of information includes the second hash value (In ¶ 47, Taylor discloses “This client software may perform any number of logical steps depending both on the purpose of this client software and user interaction until some later point 203 where there is some requirement for sensitive data or a sensitive operation 203 that requires the interaction of the server shown as 101 in FIG. 1….. In response to the attestation request the client sends a response 205 to the requesting server with some response, such as a software code fingerprint, that provides evidence that the code being executed is authentic.”)
	Regarding Claim 20, the combination of Taylor and Smith disclose: 
The computer program product of claim 19, wherein the at least one processor is further programmed or configured to: transmit a challenge question to the automated software agent of the client device (In ¶ 2, Taylor discloses “Challenge-response attestation algorithms may be employed in this scenario to provide a method allowing the client software to attest to its authenticity by calculating a cryptographic fingerprint hash of its executable code.”); and receive a response to the challenge question from the automated software agent of the client device (In ¶ 30, Taylor discloses “In this case both the challenge value and response (i.e. the known good fingerprint) are recorded in the database.”); wherein, the one or more instructions that cause the at least one processor to determine whether to allow access to the online source of information by the automated software agent of the client device, cause the at least one processor to: determine whether to allow access to the sensitive data included in the online source of information by the automated software agent of the client device based on the first hash value, the second hash value, and the response to the challenge question from the automated software agent of the client device  (In ¶ 30, Taylor discloses “When an attestation needs to be performed on a device in the untrusted device set then the same challenge value is provided by the server with the expectation of receiving the same response for the attestation to pass. If it is responds correctly to the challenge with the known good responses then it is assumed that the response to the new randomly generated challenge must also be valid.”)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Gagnon (US Publication Number 2021/0297423) discloses a system and method for securing access to network assets.
Oberheide et al. (US Publication Number 2016/0294562) discloses a method for distributed trust authentication of service providers.
Winklevoss et al. (US Patent Number 10158480) discloses a system and method for authorizing and performing autonomous device transactions.
Reed (US Patent Number 10579974) discloses a system and method for administration  and management of a digital asset network with rapid transaction settlements.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHADI H KOBROSLI/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492