Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/30/2022 has been entered.
 

Response to Arguments
Applicant’s arguments, filed 9/30/2022, with respect to the rejection(s) of claim(s) 1-5, 7-8, 10-18 and 20-23 under 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Fernandez-Hernandez

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-5, 7, 14-18 and 20-23 are rejected under 35 U.S.C. 103 as being unpatentable over Khosravi (US Patent Pub. 2008/0005359) in view of Tarumi (US Patent 8,988,715).

As per claims 1 and 14: Khosravi discloses a method for distributed access control, comprising (See Abstract): 
receiving, by a satellite component of an access control system, a request from a computing device to verify an identity of the computing device, wherein the request comprises one or more characteristics of the computing device, and wherein the satellite componenet runs on one of more processors (Paragraph 54; The access request 650 may include signed information 660b associated with the requested access grant of the requesting host device 610); 
verifying, by the satellite component, that the one or more characteristics of the computing device are valid, the verifying comprising one or more interactions with a management entity related to the computing device, wherein the satellite component is different from the management entity (Paragraph 54; The at least one access control server 620 determines whether to grant the requested network access based at least in part on the received signed information 660b associated with the access request 650); 
generating, by the satellite component, a signed document that is trusted by a control component of the access control system (Paragraph 54; In one embodiment, the signed information 660b may be collected by one or more platform management components executing independent of an operating system on the requesting host device 610); and 
providing, by the satellite component, the signed document to the computing device for use in requesting credentials from the control component to access a secure resource (Paragraph 54; If network access is to be granted, the at least one access control server 620 retrieves what policy information 680, if any, is to govern the network access of the requesting host device 610 based at least in part on the received signed information 660b associated with the access request 650).
Khosravi does not specifically disclose wherein: the satellite component, the computing device and the management entity are located in a first networking environment, and the control component and the secure resource are located in a second networking environment that is separate from the first networking environment.
Tarumi discloses a first display control unit configured to display, in the first environment, the input user interface for inputting the user information if the determination unit determines that the printer driver is capable of displaying, in the first environment, the input user interface for inputting the user information; an activation unit configured to activate software operated in a second environment different from the first environment (claim 1).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Khosravi and Tarumi in it’s entirety, to modify the technique of Khosravi for the control component and the secure resource are located in a second networking environment that is separate from the first networking environment by adopting Tarumi's teaching for unit configured to activate software operated in a second environment different from the first environment . The motivation would have been to improve distributed access control.
As per claims 2 and 15: The method of Claim 1, wherein verifying, by the satellite component, that the one or more characteristics of the computing device are valid comprises:
providing a secure token to the computing device; and receiving a confirmation from the management entity that the computing device stored the secure token in a data store accessible by the computing device and the management entity (Paragraph 54; create a secure exchange and convey an application policy token to the access control server 620. In response, the access control server 620 may transmit a system policy token to each of the posture validation servers 630. The system policy token and the application policy token may then be used by the posture validation servers 630 to sign and return policy information to the at least one access control server 620).
As per claims 3 and 16: The method of Claim 2, wherein verifying, by the satellite component, that the one or more characteristics of the computing device are valid further comprises receiving an indication of the one or more characteristics from the management entity (Paragraph 54; The at least one access control server 620 determines whether to grant the requested network access based at least in part on the received signed information 660b associated with the access request 650).
As per claims 4 and 17: The method of Claim 1, wherein the one or more characteristics of the computing device comprise one or more of:
an internet protocol (IP) address; a network identifier; a group identifier; or a role (Paragraph 54; each posture validation server 630 is dedicated to authenticating and verifying received posture information from the various host devices). 
As per claims 5 and 18: The method of Claim 1, wherein the management entity corresponds to a platform service provider of the computing device, and wherein the satellite component interacts with the management entity via an application programming interface (API) provided by the platform service provider (Paragraph 18; The platform management components 170 are adapted to be executed by the second processor 150, independent of the operating system 145. The platform management components 170 are also configured to determine platform posture information independent of the operating system 145 and to generate signed platform posture information 180 based on a posture signature key 177 to obtain network access control policy information for the host platform device 110).
As per claim 6: The method of Claim 1, wherein the satellite component, the computing device, and the management entity are located in a first networking environment, and wherein the control component is located in a second networking environment that is separate from the first networking environment (Paragraph 54; one embodiment uses a two phase commit mechanism to create a secure exchange and convey an application policy token to the access control server 620. In response, the access control server 620 may transmit a system policy token to each of the posture validation servers 630).
As per claims 7 and 20: The method of Claim 1, wherein the signed document comprises a list of the one or more characteristics and a signature that is shared between the satellite component and the control component (Paragraph 54; In one embodiment, the signed information 660b may be collected by one or more platform management components executing independent of an operating system on the requesting host device 610).
As per claims 21-23: (New) The method of Claim 1, wherein the control component is unable to access the management entity (See Tarumi Claim 1).

Claim(s) 8-13 are rejected under 35 U.S.C. 103 as being unpatentable over Khosravi (US Patent Pub. 2008/0005359) in view of Tarumi (US Patent 8,988,715) and Fernandez-Hernandez (US Patent Pub. 2016/0154106).


As per claim 8: Khosravi discloses a method for distributed access control, comprising (See Abstract): 
receiving, by a satellite component of an access control system, a request from a computing device to verify an identity of the computing device, wherein the request comprises one or more characteristics of the computing device, and wherein the satellite component runs on one of more processors (Paragraph 54; The access request 650 may include signed information 660b associated with the requested access grant of the requesting host device 610); 
verifying, by the satellite component, that the one or more characteristics of the computing device are valid, the verifying comprising one or more interactions with a management entity related to the computing device, and wherein the satellite component is different from the management entity (Paragraph 54; The at least one access control server 620 determines whether to grant the requested network access based at least in part on the received signed information 660b associated with the access request 650); 
generating, by the satellite component, a signed document that is trusted by a control component of the access control system (Paragraph 54; In one embodiment, the signed information 660b may be collected by one or more platform management components executing independent of an operating system on the requesting host device 610); and 
providing, by the satellite component, the signed document to the computing device for use in requesting credentials from the control component to access a secure resource (Paragraph 54; If network access is to be granted, the at least one access control server 620 retrieves what policy information 680, if any, is to govern the network access of the requesting host device 610 based at least in part on the received signed information 660b associated with the access request 650).
Khosravi does not specifically disclose wherein: the satellite component, the computing device and the management entity are located in a first networking environment, and the control component and the secure resource are located in a second networking environment that is separate from the first networking environment.
Tarumi discloses a first display control unit configured to display, in the first environment, the input user interface for inputting the user information if the determination unit determines that the printer driver is capable of displaying, in the first environment, the input user interface for inputting the user information; an activation unit configured to activate software operated in a second environment different from the first environment (claim 1).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Khosravi and Tarumi in it’s entirety, to modify the technique of Khosravi for the control component and the secure resource are located in a second networking environment that is separate from the first networking environment by adopting Tarumi's teaching for unit configured to activate software operated in a second environment different from the first environment . The motivation would have been to improve distributed access control.
Khosravi and Tarumi do not specifically disclose wherein the signature of the satellite component is generated based on one or more interactions with a management entity related to the computing device.
Fernandez-Hernandez discloses the method is based on the following principle: [0026] generation and transmission of random or pseudorandom (unpredictable) bits periodically from satellites, which need not be connected to the ground mission segment at the time they broadcast their navigation message. [0027] generation of digital signatures for the data from these satellites, and the transmission thereof through other satellites (Paragraph 25-27).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Khosravi, Tarumi and Ferenandez-Hernandez in it’s entirety, to modify the technique of Khosravi for the control component and the secure resource are located in a second networking environment that is separate from the first networking environment by adopting Ferenandez-Hernandez's teaching for generation of digital signatures for the data from these satellites. The motivation would have been to improve distributed access control.
As per claim 10: The method of Claim 8, wherein the satellite component has verified that the one or more characteristics of the computing device are valid through the one or more interaction with the management entity (Paragraph 54; The at least one access control server 620 determines whether to grant the requested network access based at least in part on the received signed information 660b associated with the access request 650).
As per claim 11: The method of Claim 8, wherein the management entity corresponds to a platform service provider of the computing device, and wherein the satellite component interacts with the management entity via an application programming interface (API) provided by the platform service provider (Paragraph 18; The platform management components 170 are adapted to be executed by the second processor 150, independent of the operating system 145. The platform management components 170 are also configured to determine platform posture information independent of the operating system 145 and to generate signed platform posture information 180 based on a posture signature key 177 to obtain network access control policy information for the host platform device 110).
As per claim 12: The method of Claim 8, wherein the one or more characteristics of the computing device comprise one or more of:
an internet protocol (IP) address; a network identifier; a group identifier; or a role (Paragraph 54; each posture validation server 630 is dedicated to authenticating and verifying received posture information from the various host devices). 
As per claim 13: The method of Claim 8, wherein the signed document comprises a list of the one or more characteristics (Paragraph 25; authenticate the host platform based on previously received policy information including verified keys and/or access control lists (ACL)).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472. The examiner can normally be reached 730-330pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANTHONY D BROWN/Primary Examiner, Art Unit 2433