DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 06/28/2022 has been entered.
As per instant Amendment, Claims 1, 8 and 15 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made Non-FINAL.

Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 06/28/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “the Office has offered an advisory opinion that the proxy system limitation and the certificate expiration monitor are being construed under 35 USC 112(f) [] the Office would have identified the function associated with any alleged limitation that was being construed under 35 U.S.C. 112(f) and the algorithmic structure associated with that function. Instead, the Office has identified non-algorithmic structure that includes a number of system components that do not correlate to the claim limitations.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that the claimed “a proxy system,” and “data processing system”, the term “system” is a non-structure term; said term “system” is coupled with a functional language (i.e., determin[ing], generat[ing], and receiv[ing]); and the term “system” is not proceeded or modified by any structural modifier (i.e., determination, generation, and receiving are not structure modifier).  Said non-structural terms are coupled with a functional languages (i.e., determin[ing], generat[ing], and receiv[ing]),  and are not modified by any sufficient corresponding structures.  As three-prong tests are met, the claimed limitations “a proxy system [] configured to determine,” “a certificate expiration monitor [] configured to generate,” “data processing system is configured to receive,” “the proxy system is configured to receive,” and “the proxy system is configured to determine”  is interpreted under 112(f).  
Please note that “the corresponding structure is required to be more than simply a general purpose computer or microprocessor;”   “[t]he structure corresponding to a § 112(f) claim limitation for a computer-implemented function must include the algorithm needed to transform the general purpose computer or microprocessor disclosed in the specification”. Since the specification does not provide the algorithm to transform the general purpose computer/microprocessor to a specific computer/microprocessor, the specification does not sufficiently provide corresponding structure for the claimed means plus function. See MPEP 2181; See also In re Katz Interactive Call Processing Patent Litig. V. American Airlines, Inc., 97 U.S.P. Q.2D 1737 (Fed. Cir. 2011); and Precedential Opinion - Ex parte Rodriquez. Therefore the aforementioned limitations are interpreted under 35 U.S.C. 112 (f).

Applicant’s arguments: “Goeringer fails to disclose the claimed proxy system operating on a processor and certificate expiration monitor operating on the processor.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Goeringer discloses a proxy system operating on a processor and configured to determine whether an expiration associated with the anchor certificate for each data processing system is within a predetermined time of expiration (Goeringer: ¶0045 in the case of a PKI Subscriber already having a valid (but expiring) Certificate, system 100 is enabled to not only automatically renew the expiring Certificate, but also to issue the renewed Certificate issued online at nearly the same security level as used to protect keys for the expiring Certificate [...] the renewal Certificate is issued prior to expiration of the expiring Certificate; ¶0046 the proactive management alerts may be further enhanced through leveraging of custom extensions, such as "use before", "use after", or other custom extensions that enable proactive management of the timing of Certificate renewals prior to expiration); and 10a certificate expiration monitor operating on the processor and configured to generate a certificate signing request in response to the determination that the expiration associated with the anchor certificate for each data processing system is within the predetermined time of expiration (Goeringer: ¶0042 at step S120, subscriber 106 submits a Certificate Signing Request (CSR, e.g., a message conveying a request to have a Certificate issued) to RA 104 for approval thereby). More specifically, Goeringer discloses the terms "processor" and "computer" and related terms, e.g., "processing device", "computing device", and "controller" are not limited to just those integrated circuits referred to in the art as a computer, but broadly refers to a microcontroller, a microcomputer, a programmable logic controller (PLC), an application specific integrated circuit (ASIC), and other programmable circuits, and these terms are used interchangeably herein [0019] and subscriber 106 may include a processor and an electronic memory [], and store at least one application or set of computer executable instructions within the memory. When executed by the processor, the computer-executable instructions may cause Subscriber 106 to initiate one or more of the Subscriber-related steps [] these Subscriber-related steps may be executed automatically upon transmittal of one or more of the several alerts [] and may be further executed automatically, without the need for manual intervention [0037]. Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

The amended claims 3-5, 7, 9-12 and 18 have been addressed in rejection below.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claims 1-7 are interpreted under 35 U.S.C. 112(f) or Pre-AIA  35 U.S.C. 112, sixth paragraph, as reciting means-plus functions.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a
rebuttable presumption that the claim limitation is to be treated in accordance with 35
U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim
limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth
paragraph, is rebutted when the claim limitation recites sufficient structure, material, or
acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a proxy system [] configured to determine,” “a certificate expiration monitor [] configured to generate,” recited in claim 1;  “data processing system is configured to receive/replace” recited in claim 2; “means to receive/replace” recited in claim 3; “the proxy system is configured to determine/review” recited in claim 4;  “”  “the proxy system is configured to automatically review … and to replace” recited in claim 7.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 6, 8, 10-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Goeringer et al. (“Goeringer,” US 2020/0059372) in view of LLOYD et al. (“Lloyd,” US 2016/0315777).

Regarding claim 1: Goeringer discloses a system for data processing, comprising:
a plurality of data processing systems, each associated with 5a user (Goeringer: ¶0069 one or more electronic or computing devices. Such devices typically include a processor, processing device, or controller [...] and/or any other circuit or processing device capable of executing the functions); 
a proxy system operating on a processor and configured to determine whether an expiration associated with the anchor certificate for each data processing system is within a predetermined time of expiration (Goeringer: ¶0045 in the case of a PKI Subscriber already having a valid (but expiring) Certificate, system 100 is enabled to not only automatically renew the expiring Certificate, but also to issue the renewed Certificate issued online at nearly the same security level as used to protect keys for the expiring Certificate [...] the renewal Certificate is issued prior to expiration of the expiring Certificate; ¶0046 the proactive management alerts may be further enhanced through leveraging of custom extensions, such as "use before", "use after", or other custom extensions that enable proactive management of the timing of Certificate renewals prior to expiration); and
10a certificate expiration monitor operating on the processor and configured to generate a certificate signing request in response to the determination that the expiration associated with the anchor certificate for each data processing system is within the predetermined time of expiration (Goeringer: ¶0042 at step S120, subscriber 106 submits a Certificate Signing Request (CSR, e.g., a message conveying a request to have a Certificate issued) to RA 104 for approval thereby).
Goeringer does not explicitly disclose data processing systems having an anchor certificate.
However, Lloyd discloses data processing systems having an anchor certificate (Lloyd: ¶0054 company A's trust anchor 610 (e.g., its root certificate authority) [...] company B's trust anchor 620 (e.g., its root certificate authority)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Lloyd with the system/method of Goeringer to include data processing systems having an anchor certificate.
One would have been motivated to provide systems and/or methods for updating certificates using authority information access certificate extensions-a feature of Public Key Infrastructure X.509 (PKIX) (Lloyd: ¶0015).

Regarding claim 6: Goeringer in view of Lloyd discloses the system of claim 1.
Goeringer further discloses wherein the proxy system is configured to determine a validity of the anchor certificate for each data processing system in accordance with RFC 5280 Internet X.509 Public Key Infrastructure Certificate and a Certificate 10Revocation List (CRL) Profile (Goeringer: ¶0029 the present embodiments are fully compatible with existing Certificate processes that leverage existing RFC 5280-compliant processes (i.e., according to Internet X.509 Public Key Infrastructure Certificate and CRL Profile).

Regarding claim 8: Goeringer discloses a method for data processing, comprising:
a plurality of data processing systems, wherein each data processing system is 5associated with a user (Goeringer: ¶0069 one or more electronic or computing devices. Such devices typically include a processor, processing device, or controller [...] and/or any other circuit or processing device capable of executing the functions);
determining with a proxy system operating on a processor whether an expiration associated with the anchor certificate for each data processing system is within a predetermined time of expiration (Goeringer: ¶0045 in the case of a PKI Subscriber already having a valid (but expiring) Certificate, system 100 is enabled to not only automatically renew the expiring Certificate, but also to issue the renewed Certificate issued online at nearly the same security level as used to protect keys for the expiring Certificate [...] the renewal Certificate is issued prior to expiration of the expiring Certificate; ¶0046 the proactive management alerts may be further enhanced through leveraging of custom extensions, such as "use before", "use after", or other custom extensions that enable proactive management of the timing of Certificate renewals prior to expiration); and
10generating a certificate signing request with a certificate expiration monitor operating on the processor in response to the determination that the expiration associated with the anchor certificate for each data processing system is within the predetermined time of expiration (Goeringer: ¶0042 at step S120, subscriber 106 submits a Certificate Signing Request (CSR, e.g., a message conveying a request to have a Certificate issued) to RA 104 for approval thereby).
Goeringer does disclose one or more electronic or computing devices but does not explicitly disclose receiving an anchor certificate from each of a plurality of data processing systems.
However, Lloyd discloses receiving an anchor certificate from each of a plurality of data processing systems (Lloyd: ¶0056 the certificates are signed at the root level, and Company A can sign and push out intermediate certificates for Company B).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Lloyd with the system/method of Goeringer to include receiving an anchor certificate from each of a plurality of data processing systems.
One would have been motivated to provide systems and/or methods for updating certificates using authority information access certificate extensions-a feature of Public Key Infrastructure X.509 (PKIX) (Lloyd: ¶0015).

Regarding claim 10: Goeringer in view of Lloyd discloses the method of claim 8.
Goeringer further discloses preventing access by each data processing system to an external network if the expiration associated with the anchor certificate for each data processing system is within the predetermined time of expiration (Goeringer: ¶0059 process 300 may automate the management of the revocation subprocess such that Subscriber 106 is enabled to revoke the expiring Certificate, to further prevent the expiring Certificate from being misused prior to its expiration); and
allowing access by each data processing system to the external network after replacing the previous anchor certificate with the new anchor certificate (Goeringer: ¶0035 if the receiving server validates that Certificate or the signature of the Certificate [] then the receiving server approves the connection request).
Lloyd further discloses receiving a new anchor certificate for each data processing system using the proxy system; 25replacing a previous anchor certificate with the new anchor certificate (Lloyd: ¶0018 intermediate certificate authorities can be updated using standard RFC 5280 extensions; ¶0031 intermediate certificate authority 220 can refer to its parent, using what is sometimes referred to as a cascade update process. In such a process, root certificate authority 210 can perform a root certificate update algorithm, after which an intermediate certificate authority 220 can pull an updated certificate from root certificate authority 210).
The motivation is the same that of claim 8 above.
 
Regarding claim 11: Goeringer in view of Lloyd discloses the method of claim 8.
Goeringer further discloses preventing access to one of the data processing system if the anchor certificate for that data processing system is invalid (Goeringer: ¶0059 process 300 may automate the management of the revocation subprocess such that Subscriber 106 is enabled to revoke the expiring Certificate, to further prevent the expiring Certificate from being misused prior to its expiration).
Lloyd further discloses determining a validity of the anchor certificate for each data processing system 30using the proxy system (Lloyd: ¶0033 intermediate certificate authority 220 can update its certificate, or change certificates that it has previously issued [] intermediate certificate authority 220 can reissue all certificates that are associated with it, and re-sign them as required). 
The motivation is the same that of claim 8 above.

Regarding claim 12: Goeringer in view of Lloyd discloses the method of claim 8.
Goeringer further discloses determining a validity of the anchor certificate for each data processing system using the proxy system in accordance with RFC 5280 Internet X.509 Public Key Infrastructure Certificate (Goeringer: ¶0029 existing Certificate processes that leverage existing RFC 5280-compliant processes (i.e., according to Internet X.509 Public Key Infrastructure Certificate); and
preventing access to one of the data processing system if the anchor certificate for that data processing system is invalid until a new anchor certificate is received (Goeringer: ¶0059 if use of the new Certificate was successful in step 324, self-revocation of the old, expiring Certificate is implemented [] process 300 may automate the management of the revocation subprocess such that Subscriber 106 is enabled to revoke the expiring Certificate, to further prevent the expiring Certificate from being misused prior to its expiration (i.e., in the period after the new/renewal Certificate has been issued, but before the expiring Certificate has actually expired)).

Regarding claim 13: Goeringer in view of Lloyd discloses the method of claim 8.
Goeringer further discloses determining a validity of the anchor certificate for each data processing system wherein the proxy system in accordance with RFC 5280 Internet X.509 Public Key Infrastructure Certificate and a Certificate Revocation 10List (CRL) Profile (Goeringer: ¶0029 the present embodiments are fully compatible with existing Certificate processes that leverage existing RFC 5280-compliant processes (i.e., according to Internet X.509 Public Key Infrastructure Certificate and CRL Profile).

Regarding claim 14: Goeringer in view of Lloyd discloses the method of claim 11.
Lloyd further discloses receiving a new anchor certificate for each data processing system with the proxy system and replacing a previous anchor certificate with the 15new anchor certificate after determining the validity of the anchor certificate (Lloyd: ¶0018 intermediate certificate authorities can be updated using standard RFC 5280 extensions; ¶0031 root certificate authority 210 can perform a root certificate update algorithm, after which an intermediate certificate authority 220 can pull an updated certificate from root certificate authority 210; ¶0061 security policies might mandate that end entity certificates are replaced once a week, month, year, etc.).
The motivation is the same that of claim 8 above.  

Regarding claim 15: Goeringer discloses a data memory device storing algorithmic instructions that cause a processor to perform the steps of:
a plurality of data processing systems, wherein each data processing system is 5associated with a user (Goeringer: ¶0069 one or more electronic or computing devices. Such devices typically include a processor, processing device, or controller [...] and/or any other circuit or processing device capable of executing the functions);
determining with a proxy system operating on a processor whether an expiration associated with the anchor certificate for each data processing system is within a predetermined time of expiration (Goeringer: ¶0045 in the case of a PKI Subscriber already having a valid (but expiring) Certificate, system 100 is enabled to not only automatically renew the expiring Certificate, but also to issue the renewed Certificate issued online at nearly the same security level as used to protect keys for the expiring Certificate [...] the renewal Certificate is issued prior to expiration of the expiring Certificate; ¶0046 the proactive management alerts may be further enhanced through leveraging of custom extensions, such as "use before", "use after", or other custom extensions that enable proactive management of the timing of Certificate renewals prior to expiration); and
10generating a certificate signing request with a certificate expiration monitor operating on the processor in response to the determination that the expiration associated with the anchor certificate for each data processing system is within the predetermined time of expiration (Goeringer: ¶0042 at step S120, subscriber 106 submits a Certificate Signing Request (CSR, e.g., a message conveying a request to have a Certificate issued) to RA 104 for approval thereby).
Goeringer does disclose one or more electronic or computing devices but does not explicitly disclose receiving an anchor certificate from each of a plurality of data processing systems.
However, Lloyd discloses receiving an anchor certificate from each of a plurality of data processing systems (Lloyd: ¶0056 the certificates are signed at the root level, and Company A can sign and push out intermediate certificates for Company B).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Lloyd with the system/method of Goeringer to include receiving an anchor certificate from each of a plurality of data processing systems.
One would have been motivated to provide systems and/or methods for updating certificates using authority information access certificate extensions-a feature of Public Key Infrastructure X.509 (PKIX) (Lloyd: ¶0015).

Regarding claim 16: Goeringer in view of Lloyd discloses the data memory device of claim 15.
Lloyd further discloses the algorithmic instructions further comprise receiving a new anchor certificate with each data processing system (Lloyd: ¶0041 end entities 230 and other devices can periodically (e.g., once a day, week, etc.) poll for third party certificate authority 240 (also known as a caRepository endpoint) for replacement (or updated) certificates); and
20replacing with each data processing system a previous anchor certificate with the new anchor certificate (Lloyd: ¶0044 a trust anchor may need to be replaced. To replace a certificate that identifies root certificate authority 210 (e.g., a trust anchor), root certificate authority 210 can send a PKCS #10 file to request three certificates from third party certificate authority 240).
The motivation is the same that of claim 15 above.

Regarding claim 17: Goeringer in view of Lloyd discloses the data memory device of claim 15.
Lloyd further discloses the algorithmic instructions further comprise  25receiving a new anchor certificate for each data processing system using the proxy system; and replacing a previous anchor certificate with the new anchor certificate (Lloyd: ¶0018 intermediate certificate authorities can be updated using standard RFC 5280 extensions; ¶0031 intermediate certificate authority 220 can refer to its parent, using what is sometimes referred to as a cascade update process. In such a process, root certificate authority 210 can perform a root certificate update algorithm, after which an intermediate certificate authority 220 can pull an updated certificate from root certificate authority 210).
The motivation is the same that of claim 15 above.  

Regarding claim 19: Goeringer in view of Lloyd discloses the data memory device of claim 15.
Goeringer further discloses wherein the algorithmic instructions further comprise determining a validity of the anchor certificate for each data processing system using the proxy system in accordance with RFC 5280 Internet X.509 Public 10Key Infrastructure Certificate (Goeringer: ¶0029 existing Certificate processes that leverage existing RFC 5280-compliant processes (i.e., according to Internet X.509 Public Key Infrastructure Certificate).

Regarding claim 20: Goeringer in view of Lloyd discloses the data memory device of claim 15.
Goeringer further discloses wherein the algorithmic instructions further comprise determining a validity of the anchor certificate for each data processing system wherein 15the proxy system in accordance with RFC 5280 Internet X.509 Public Key Infrastructure Certificate and a Certificate Revocation List (CRL) Profile (Goeringer: ¶0029 the present embodiments are fully compatible with existing Certificate processes that leverage existing RFC 5280-compliant processes (i.e., according to Internet X.509 Public Key Infrastructure Certificate and CRL Profile).

Claims 2-5, 7, 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Goeringer et al. (“Goeringer,” US 2020/0059372) in view of LLOYD et al. (“Lloyd,” US 2016/0315777) and Xie et al. (“Xie,” US 2016/0173488), published on June 16, 2016.

Regarding claim 2: Goeringer in view of Lloyd discloses the system of claim 1.
Lloyd further discloses wherein each data processing system is configured to receive a new anchor certificate and to replace a previous anchor certificate with the new anchor certificate (Lloyd: ¶0041 end entities 230 and other devices can periodically (e.g., once a day, week, etc.) poll for third party certificate authority 240 (also known as a caRepository endpoint) for replacement (or updated) certificates; ¶0044 a trust anchor may need to be replaced. To replace a certificate that identifies root certificate authority 210 (e.g., a trust anchor), root certificate authority 210 can send a PKCS #10 file to request three certificates from third party certificate authority 240).
The motivation is the same that of claim 1 above.
Goeringer in view of Lloyd discloses to replace trust anchor certificate but does not explicitly disclose receive a new certificate from a firewall system.
However, Xie discloses receive a new certificate from a firewall system (Xie: ¶0052 the firewall may generate a new CA certificate or renew the CA certificate before it is expired).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Xie with the system/method of Lloyd and Goeringer to include receive a new certificate from a firewall system.
One would have been motivated to managing security of a client and managing the security of traffic pass through the network (Xie: ¶0010).

20 Regarding claim 3: Goeringer in view of Lloyd discloses the system of claim 1.
Lloyd further discloses wherein the proxy system comprises means to receive a new anchor certificate from for each data processing system and to replace a previous anchor certificate with the new anchor certificate (Lloyd: ¶0018 intermediate certificate authorities can be updated using standard RFC 5280 extensions; ¶0031 intermediate certificate authority 220 can refer to its parent, using what is sometimes referred to as a cascade update process. In such a process, root certificate authority 210 can perform a root certificate update algorithm, after which an intermediate certificate authority 220 can pull an updated certificate from root certificate authority 210).
The motivation is the same that of claim 1 above.
Goeringer in view of Lloyd discloses to replace trust anchor certificate but does not explicitly disclose receive a new certificate from a firewall system and new certificate perform a firewall function.
However, Xie discloses receive a new certificate from a firewall system (Xie: ¶0052 the firewall may generate a new CA certificate or renew the CA certificate before it is expired); and
new certificate perform a firewall function (Xie: ¶0032 a CA certificate 111 may be generated by firewall 120 and used for signing a server certificate that is used for establishing an SSL session with SSL client 110 for deep inspection of encrypted traffic transmitted to and from SSL client 110).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Xie with the system/method of Lloyd and Goeringer to include receive a new certificate from a firewall system and new certificate perform a firewall function.
One would have been motivated to managing security of a client and managing the security of traffic pass through the network (Xie: ¶0010).



25Regarding claim 4: Goeringer in view of Lloyd discloses the system of claim 1.
GGoeringer further discloses renew the anchor certificate (Goeringer: ¶0028 the automated management of automatic PKI certificate renewal).
Lloyd further discloses wherein the proxy system is configured to determine a validity of the anchor certificate for each data processing system, and to provide a firewall function (Lloyd: ¶0033 intermediate certificate authority 220 can update its certificate, or change certificates that it has previously issued [...] intermediate certificate authority 220 can reissue all certificates that are associated with it, and re-sign them as required; ¶0022 gateway 106 can include or be coupled to a firewall separating gateway 106 from public network 104 (e.g., Internet)).
The motivation is the same that of claim 1 above.
Goeringer in view of Lloyd does not explicitly provide a firewall function.
However, Xie discloses provide a firewall function (Xie: ¶0032 a CA certificate 111 may be generated by firewall 120 and used for signing a server certificate that is used for establishing an SSL session with SSL client 110 for deep inspection of encrypted traffic transmitted to and from SSL client 110).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Xie with the system/method of Lloyd and Goeringer to include provide a firewall function.
One would have been motivated to managing security of a client and managing the security of traffic pass through the network (Xie: ¶0010).


Regarding claim 5: Goeringer in view of Lloyd discloses the system of claim 1.
Goeringer further discloses wherein the proxy system is configured to determine a validity of the anchor certificate for each data processing system in accordance with RFC 5280 Internet X.509 Public Key Infrastructure Certificate prior to allowing data communications with each data processing system (Goeringer: ¶0029 existing Certificate processes that leverage existing RFC 5280-compliant processes (i.e., according to Internet X.509 Public Key Infrastructure Certificate; ¶0035 if the receiving server validates that Certificate or the signature of the Certificate [] then the receiving server approves the connection request).
Goeringer in view of Lloyd does not explicitly disclose the proxy system is operated by a firewall system and controls access to the plurality of data processing systems.
However, Xie discloses the proxy system is operated by a firewall system and controls access to the plurality of data processing systems (Xie: ¶0032 endpoint control module 124 may be a daemon running on firewall 120 that may manage the client security manager remotely).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Xie with the system/method of Goeringer  and Lloyd to include the proxy system is operated by a firewall system and controls access to the plurality of data processing systems.
One would have been motivated to managing security of a client and managing the security of traffic pass through the network (Xie: ¶0010).

Regarding claim 7: Goeringer in view of Lloyd and Xie discloses the system of claim 4.
Goeringer further discloses wherein the proxy system is configured to automatically renew the anchor certificate for each data processing system (Goeringer: ¶0009 automating management of automatic renewal of a public key infrastructure (PKI) certificate issued by a certificate authority (CA) for a subscriber).
Lloyd  further discloses to replace a previous anchor certificate 15with the renewed anchor certificate after determining the validity of the anchor certificate (Lloyd: ¶0018 intermediate certificate authorities can be updated using standard RFC 5280 extensions; ¶0031 root certificate authority 210 can perform a root certificate update algorithm, after which an intermediate certificate authority 220 can pull an updated certificate from root certificate authority 210; ¶0061 security policies might mandate that end entity certificates are replaced once a week, month, year, etc.).
The motivation is the same that of claim 1 above.

Regarding claim 9: Goeringer in view of Lloyd discloses the method of claim 8.
Lloyd further discloses receiving a new anchor certificate with each data processing system from the proxy system (Lloyd: ¶0041 end entities 230 and other devices can periodically (e.g., once a day, week, etc.) poll for third party certificate authority 240 (also known as a caRepository endpoint) for replacement (or updated) certificates); 
replacing with each data processing system a previous anchor 20certificate with the new anchor certificate (Lloyd: ¶0044 a trust anchor may need to be replaced. To replace a certificate that identifies root certificate authority 210 (e.g., a trust anchor), root certificate authority 210 can send a PKCS #10 file to request three certificates from third party certificate authority 240); and
The motivation is the same that of claim 8 above.
Goeringer in view of Lloyd discloses an anchor certificate but does not explicitly using the new anchor certificate for firewall processing.
However, Xie discloses using the new anchor certificate for firewall processing
 (Xie: ¶0032 a CA certificate 111 may be generated by firewall 120 and used for signing a server certificate that is used for establishing an SSL session with SSL client 110 for deep inspection of encrypted traffic transmitted to and from SSL client 110).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Xie with the system/method of Lloyd and Goeringer to include using the new anchor certificate for firewall processing.
One would have been motivated to managing security of a client and managing the security of traffic pass through the network (Xie: ¶0010).
  
Regarding claim 18: Goeringer in view of Lloyd discloses the data memory device of claim 15.
Lloyd further discloses wherein the algorithmic instructions further comprise determining a validity of the anchor certificate for each data processing system using the proxy system (Lloyd: ¶0033 intermediate certificate authority 220 can update its certificate, or change certificates that it has previously issued [...] intermediate certificate authority 220 can reissue all certificates that are associated with it, and re-sign them as required).
The motivation is the same that of claim 15 above.
Goeringer in view of Lloyd does not explicitly disclose proxy system as part of firewall processing for each data processing system.
However, Xie discloses proxy system as part of firewall processing for each data processing system (Xie: ¶0030 non-limiting examples of network security devices include proxy servers, firewalls, VPN appliances, gateways, UTM appliances and the like).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Xie with the system/method of Lloyd and Goeringer to include proxy system as part of firewall processing for each data processing system.
One would have been motivated to managing security of a client and managing the security of traffic pass through the network (Xie: ¶0010).


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439