Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1.	This action is responsive to:  an original application filed on 22 December 2021 with acknowledgement that this application is a continuation of application 16/193,658 now patent 11,210,079 that claims priority to European Patent Application filed 27 November 2017.
2.	Claims 2-21 are currently pending.  Claims 1, 5, and 12, are independent claims. 
3.	The IDS submitted on 22 December 2021 has been considered. 
Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/.
 The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. 
 An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, please refer to - http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp
5.	Claims 2-21 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-18 of application 16/193,658 now patent 11,210,079.  Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/features of claimed technology for method for providing a firmware update of a device exist in the patented application in similar or different names, essentially performing the same tasks.  The table below is a comparison of the pending claims with the patented claims.  The difference between the claim set is that the pending claims contain less details.  The limitations not in the independent claims of the pending application are highlighted below.
PENDING CLAIMS
PATENT 11,210,079
A method for providing a firmware update to a first device, including a signing portal that provides software, the signing portal connected to a hardware security module (HSM) that contains an online portion having a signing key and an offline portion having a master key, 



the signing portal providing a software package that contains a firmware update signed with the signing key and a signing certificate signed with the master key, the method comprising: 


verifying, at the first device, a signature on the firmware update using a public part of the signing key; verifying, at the first device, a signature of the signing certificate using a public part of the master key; checking, at the first device, the signing certificate against a roll back counter; and rejecting or accepting, at the first device, the firmware update based on the outcome of the above verifying and checking
A method for providing a firmware update to a first device, comprising: receiving together as a software package, at the first device, from a signing portal that provides software, the signing portal connected to a hardware security module (HSM) that contains an online portion that is designed to be always available and an offline portion that is designed to be only available when a new master key is created or when signing a signing certificate, the software package contains: a firmware update signed with a signing key, the signing performed by the online portion of the HSM, a signing certificate, the signing certificate being signed with the master key by an offline portion of the HSM, and a revision number on the signing certificate, verifying, at the first device, the signature on the firmware update using the public part of the signing key; verifying, at the first device, the signature of the signing certificate using the public part of the master key; checking, at the first device, the revision number on the signing certificate against a roll back counter; and rejecting or accepting, at the first device, the received firmware update based on the outcome of the above verifying and checking.


Allowable Subject Matter
6.	Claims 17 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim Rejections – 35 USC § 103
7.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


8.	Claim 2-12, 15-16, and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Pyle U.S. Patent Application Publication No. 2016/0191253 (hereinafter ‘253) in view of Kawazu U.S. Patent Application Publication No. 2017/0010881 (hereinafter ‘881) in further view of Smith, II et al U.S. Patent Application Publication No. 2018/0004953 (hereinafter ‘953).
	As to independent claim 2, “A method for providing a firmware update to a first device, including a signing portal that provides software” is taught in ‘253 paragraph 8;
	“the signing portal connected to a hardware security module (HSM) that contains an online portion having a signing key” is shown in ‘253 paragraphs 26-27, note the programmable device may exchange (i.e. send or receive) information via the industrial control network (online component) …These paragraphs may have been signed using a private key (i.e. signing key);
	“and an offline portion having a master key” is disclosed in ‘253 paragraphs 5, note the offline component is interpreted equivalent to the programmable device; 	
	“and rejecting or accepting, at the first device, the firmware update based on the outcome of the above verifying and checking” is disclosed in ‘253 paragraphs 22 and 30;
the following is not explicitly taught in ‘253:
	“the method comprising: verifying, at the first device, a signature on the firmware update using a public part of the signing key; verifying, at the first device, a signature of the signing certificate using a public part of the master key; checking, at the first device, the signing certificate against a roll back counter” however ‘881 teaches a verification unit (i.e. checking) the version number (revision number) using the signatures of the public key certificate as well as preventing rollback of firmware on apparatus by tracking using a counter in the Abstract and paragraphs 6 and 30-32;
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of firmware updates provided with certificates taught in ‘253 to include a means to prevent rollback of firmware versions.  One of ordinary skill in the art would have been motivated to perform such a modification to protect the apparatus from attacks and improve the security of updates see ‘881 (paragraphs 4-5). 
the following is not explicitly taught in ‘253 and ‘881:
	“the signing portal providing a software package that contains a firmware update signed with the signing key and a signing certificate signed with the master key” however ‘953 teaches using a Hardware Security Module integrated into the processor (i.e. second device) of an industrial control system with the ability to sign firmware updates using appropriate signing code with private keys securely storing (i.e. offline) a private key in the Abstract and paragraphs 5 and 33.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of firmware updates provided with certificates taught in ‘253 and ‘881 to utilize a hardware security module to perform signing operations.  One of ordinary skill in the art would have been motivated to perform such a modification to prevent industrial components from being compromised see ‘953 (paragraphs 2-4 and 59-61).
	As to dependent claim 3, “The method according to claim 2, wherein checking the signing certificate includes checking a revision number against the roll back counter and comprises: determining whether the revision number: is equal to the roll back counter, and/or is greater than the roll back counter, and/or matches an expected consecutive number complying with a predetermined number series; and updating the roll back counter if the revision number on the signing certificate is greater or matches an expected consecutive number” is taught in ‘881paragraph 6.
	As to dependent claim 4, “The method according to claim 2, further comprising: verifying a signature on a revocation list; and checking whether the signing certificate is listed as revoked on the revocation list” is shown in ‘253 paragraphs 5, 22, and 29.
	As to independent claim 5, “A computer implemented method for providing a firmware update to an electronic device, comprising: at a signing portal” is taught in ‘253 paragraph 8;
	“connected to a hardware security module (HSM) that contains online portion having a signing key” is shown in ‘253 paragraphs 26-27, note the programmable device may exchange (i.e. send or receive) information via the industrial control network (online component) …These paragraphs may have been signed using a private key (i.e. signing key);
	“and an offline portion having a master key” is disclosed in ‘253 paragraphs 5, note the offline component is interpreted equivalent to the programmable device; 	
	“and rejecting or accepting, at the electronic device, the firmware update based on the outcome of the above verifying and checking” is disclosed in ‘253 paragraphs 22 and 30;
the following is not explicitly taught in ‘253:
	“verifying, at an electronic device, the signature on the firmware update using a public part of the signing key; verifying, at the electronic device, the signature of the signing certificate using a public part of the master key; checking, at the electronic device, the signing certificate against a roll back counter” however ‘881 teaches a verification unit (i.e. checking) the version number (revision number) using the signatures of the public key certificate as well as preventing rollback of firmware on apparatus by tracking using a counter in the Abstract and paragraphs 6 and 30-32;
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of firmware updates provided with certificates taught in ‘253 to include a means to prevent rollback of firmware versions.  One of ordinary skill in the art would have been motivated to perform such a modification to protect the apparatus from attacks and improve the security of updates see ‘881 (paragraphs 4-5). 
the following is not explicitly taught in ‘253 and ‘881:
	“obtaining a firmware update from an authenticated firmware provider; signing the firmware update by applying a signature with a private part of the signing key; signing a signing certificate by applying a signature with a private part of the master key” however ‘953 teaches using a Hardware Security Module integrated into the processor (i.e. second device) of an industrial control system with the ability to sign firmware updates using appropriate signing code with private keys securely storing (i.e. offline) a private key in the Abstract and paragraphs 5 and 33.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of firmware updates provided with certificates taught in ‘253 and ‘881 to utilize a hardware security module to perform signing operations.  One of ordinary skill in the art would have been motivated to perform such a modification to prevent industrial components from being compromised see ‘953 (paragraphs 2-4 and 59-61).

	As to dependent claim 6, “The computer implemented method according to claim 5, further comprising: generating an updated signing key; including a public part of the updated signing key in the firmware update; updating a revision number of the signing certificate and applying a signature of the master key to the signing certificate; sending the firmware update to the electronic device; and signing an updated signing certificate by applying the signature of the master key” ” is taught in ‘881 paragraphs 21-22 and 30-32.
	As to dependent claim 7, “The computer implemented method according to claim 6, further comprising: revoking the signing certificate by updating a revocation list with the signing certificate; and signing the updated revocation list by applying the signature of the master key” is shown in ‘253 paragraphs 5, 22, and 29.
	As to dependent claim 8, “The computer implemented method according to claim 5, comprising: generating an updated master key; generating an updated master certificate of the updated master key; including a public part of the updated master key and the updated master certificate in the firmware update; signing the firmware update by applying the signature of the signing key; and sending the firmware update to the electronic device” is disclosed in ‘253 paragraphs 22, 31, and 33.
	As to dependent claim 9, “The computer implemented method according to claim 5, comprising: generating an updated master key; generating a temporary master certificate of the updated master key; including a public part of the updated master key and the temporary master certificate in the firmware update; and signing the firmware update by applying the signature of the signing key” is taught in ‘253 paragraphs 22, 25, 31, 33, and 36.
	As to dependent claim 10, “The computer implemented method according to claim 9, further comprising: generating an updated master certificate of the updated master key; and applying a domain signature to the updated master certificate by applying a domain root key” is shown in ‘253 paragraphs 21-22.
	As to dependent claim 11, “The computer implemented method according to claim 8, further comprising: revoking the master certificate by updating a revocation list with the master certificate; signing the updated revocation list by applying the signature of a domain root key; generate a new signing certificate of the signing key; and signing the new signing certificate by applying the signature of the updated master key” is disclosed in ‘253 paragraphs 5, 22, and 29.

	As to independent claim 12, “A firmware update device, comprising: a signing portal” is taught in ‘253 paragraph 8;
	“including a Hardware Security Module HSM including that contains an online portion having a signing key” is shown in ‘253 paragraphs 26-27, note the programmable device may exchange (i.e. send or receive) information via the industrial control network (online component) …These paragraphs may have been signed using a private key (i.e. signing key);
	“and an offline portion having a master key” is disclosed in ‘253 paragraphs 5, note the offline component is interpreted equivalent to the programmable device;
	“and accept or reject the firmware update based on the outcome of the above verifying and checking” is disclosed in ‘253 paragraphs 22 and 30;
the following is not explicitly taught in ‘253:
	“that is configured to verify a signature of the software package by a public part of the signing key and verify a signature of the signing certificate by a public part of the master key, check the signing certificate against a roll back counter” however ‘881 teaches a verification unit (i.e. checking) the version number (revision number) using the signatures of the public key certificate as well as preventing rollback of firmware on apparatus by tracking using a counter in the Abstract and paragraphs 6 and 30-32;
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of firmware updates provided with certificates taught in ‘253 to include a means to prevent rollback of firmware versions.  One of ordinary skill in the art would have been motivated to perform such a modification to protect the apparatus from attacks and improve the security of updates see ‘881 (paragraphs 4-5).
the following is not explicitly taught in ‘253 and ‘881: 
	“the signing portal configured to sign a software package by a private part of the signing key, sign a signing certificate by a private part of the master key, and transmit the software package and the signing certificate to a device” however ‘953 teaches using a Hardware Security Module integrated into the processor (i.e. second device) of an industrial control system with the ability to sign firmware updates using appropriate signing code with private keys securely storing (i.e. offline) a private key in the Abstract and paragraphs 5 and 33.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of firmware updates provided with certificates taught in ‘253 and ‘881 to utilize a hardware security module to perform signing operations.  One of ordinary skill in the art would have been motivated to perform such a modification to prevent industrial components from being compromised see ‘953 (paragraphs 2-4 and 59-61).
	As to dependent claim 13, “The firmware update device according to claim 12, wherein the offline portion further stores a domain/root key, which domain key is used: to apply a signature to a master certificate for the master key with a private part of the domain key; and to apply a signature to a master certificate revocation list with the private part of the domain key” is taught in ‘253 paragraphs 5, 22, and 29.
	As to dependent claim 15, “The firmware update device according to claim 12, wherein the roll back counter indicates the latest revision number of the signing certificate; wherein the roll back counter is updated with each certificate update/replacement; and wherein the checking of a revision number against the roll back counter by the device comprises: checking whether the revision number is equal to the roll back counter; and/or checking whether the revision number is greater than the roll back counter; and/or whether the revision number matches an expected consecutive number complying with a predetermined number series; and wherein the device is arranged for updating the roll back counter if the revision number on the signing certificate is greater or matches an expected consecutive number” is shown in ‘881 paragraph 6.
	As to dependent claim 16, “The firmware update device according to claim 12, wherein the software package comprises a firmware update for an electronic device” is disclosed in ‘253 paragraph 8.
	As to dependent claim 19, “The method according to claim 2, wherein the software package includes a revision number of the signing certificate” is taught in ‘881 Abstract and paragraph 6.
	As to dependent claim 20, “The method according to claim 2, wherein the firmware update is signed with the signing key by the online portion of the HSM” is shown in ‘953 Abstract, paragraphs 5 and 33.
	As to dependent claim 21, “The method according to claim 2, wherein the signing certificate is signed with the master key by the offline portion of the HSM” is disclosed ‘953 Abstract, paragraphs 5 and 33.
9.	Claims 14 are rejected under 35 U.S.C. 103 as being unpatentable over Pyle U.S. Patent Application Publication No. 2016/0191253 (hereinafter ‘253) in view of Kawazu U.S. Patent Application Publication No. 2017/0010881 (hereinafter ‘881) in further view of Smith, II et al U.S. Patent Application Publication No. 2018/0004953 (hereinafter ‘953) in further view of Braams U.S. Patent Application Publication No. 2010/0058317 (hereinafter ‘317).

	As to dependent claim 14, the following is not explicitly taught in ‘253, ‘953 and ‘881: “The firmware update system according to claim 12, further comprising a Certificate Revocation List CRL provided with a signature of the master key; and wherein the device is further configured to check: a signature of the CRL by the public part of the master key; and whether the signing certificate is valid and/or not revoked” however ‘317 teaches the use of certificate revocation lists which can be looked up using a On-Line Certificate Status Protocol (OCSP) in paragraphs 10 and 19.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of firmware updates provided with certificates taught in ‘253, ‘953, and ‘881 to include a means to acquire a certificate revocation list (CRL).  One of ordinary skill in the art would have been motivated to perform such a modification improve the means to provide software updates to electronic devices see ‘317 paragraphs 3-5, and 19. 
Conclusion
10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
_______________________________/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        26 September 2022