DETAILED ACTION
Claims 1-21 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/09/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. US 11,201,739 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because both methods comprise substantially the same elements. For example, function performed by claim 1 of the instant application are the same and obvious steps as the subset noted below. 
The differences are bolded in the table below.




Instant Application 17/522,305
US 11,201,739 B2
1. A method performed by a server in a computing system, the method comprising: 

















receiving a request for a data access token from a computing node, wherein the data access token is a token required to access data stored in a data storage system, and the data stored in the data storage system is required for a task scheduled for execution on the computing node; 


verifying a digital signature associated with the request for the data access token; 


extracting a task identifier (ID) that identifies the task from the request for the data access token; 

transmitting a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node; 

receiving a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node; 

subsequent to receiving the response, sending the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node.
1. A method performed by a server in a computing system, the method comprising:

receiving a request for a task token from a computing node, wherein the task token is a token specific to a task scheduled for execution on the computing node, and wherein the request for the task token includes a task identifier (ID) that identifies the task;

digitally signing at least the task ID to obtain a digital signature, and incorporating the task ID and the digital signature into the task token;

transmitting the task token to the computing node;

subsequently receiving a request for a data access token from the computing node, wherein the data access token is a token required to access data stored in a data storage system, and wherein the request for the data access token includes the task token;



verifying the digital signature of the task token received in the request for the data access token;

extracting the task ID from the task token received in the request for the data access token;

transmitting a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node;

receiving a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node;

subsequent to receiving the response, sending the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node.

The difference in the independent claim 1 of the patent includes limitation of “receiving a request for a task token from a computing node, wherein the task token is a token specific to a task scheduled for execution on the computing node, and wherein the request for the task token includes a task identifier (ID) that identifies the task, digitally signing at least the task ID to obtain a digital signature, and incorporating the task ID and the digital signature into the task token, transmitting the task token to the computing node” and the other similar limitations having more details functionality which further narrows the claim of the patent. It would have been obvious to a person of ordinary skill of the art at the time of invention to read the broader limitations of the instant application from the narrower limitation of the patent as the patent anticipates the broader limitation of the instant application.

Claim 3 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. US 11,201,739 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because both methods comprise substantially the same elements. For example, function performed by claim 3 (i.e., 1+2+3) of the instant application are the same and obvious steps performed by claim 1 of patent ‘739 as noted below. 
Instant Application 17/522,305
US 11,201,739 B2
1. A method performed by a server in a computing system, the method comprising: 

See Claims 3 below







See Claims 3 below




See Claims 3 below


receiving a request for a data access token from a computing node, wherein the data access token is a token required to access data stored in a data storage system, and the data stored in the data storage system is required for a task scheduled for execution on the computing node; 


verifying a digital signature associated with the request for the data access token; 


extracting a task identifier (ID) that identifies the task from the request for the data access token; 

transmitting a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node; 

receiving a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node; 

subsequent to receiving the response, sending the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node.

2. The method of claim 1, wherein the request for the data access token includes the digital signature.






3. The method of claim 2, further comprising: prior to receiving the request for the data access token, receiving a request for a task token from the computing node, wherein the task token is a token specific to the task scheduled for execution on the computing node, and wherein the request for the task token includes the task ID; 

digitally signing at least the task ID to obtain the digital signature, and incorporating the task ID and the digital signature into the task token; and 

transmitting the task token to the computing node, wherein the request for the data access token includes the task token.
1. A method performed by a server in a computing system, the method comprising:

receiving a request for a task token from a computing node, wherein the task token is a token specific to a task scheduled for execution on the computing node, and wherein the request for the task token includes a task identifier (ID) that identifies the task;

digitally signing at least the task ID to obtain a digital signature, and incorporating the task ID and the digital signature into the task token;

transmitting the task token to the computing node;

subsequently receiving a request for a data access token from the computing node, wherein the data access token is a token required to access data stored in a data storage system, and wherein the request for the data access token includes the task token;



verifying the digital signature of the task token received in the request for the data access token;

extracting the task ID from the task token received in the request for the data access token;

transmitting a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node;

receiving a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node;

subsequent to receiving the response, sending the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node.

2. The method of claim 1, wherein the task originates from a user, wherein the request for the task token also includes information that identifies the user, wherein the information that identifies the user is also digitally signed by the server to obtain the digital signature, and wherein the information that identifies the user is also incorporated into the task token.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 21 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because the broadest reasonable interpretation of the “computer-readable medium” encompasses signals per se. The specification discloses that “[0158] Moreover, any module, component, or device exemplified herein that executes instructions may include or otherwise have access to a non-transitory computer/processor readable storage medium or media for storage of information, such as computer/processor readable instructions, data structures, program modules, and/or other data. A non-exhaustive list of examples of non-transitory computer/processor readable storage media includes magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, optical disks such as compact disc read-only memory (CD-ROM), digital video discs or digital versatile disc (DVDs), Blu-ray DiscTM, or other optical storage, volatile and non-volatile, removable and non- removable media implemented in any method or technology, random-access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology. Any such non-transitory computer/processor storage media may be part of a device or accessible or connectable thereto. Any application or module herein described may be implemented using computer/processor readable/executable instructions that may be stored or otherwise held by such non-transitory computer/processor readable storage media.” A claim whose BRI covers both statutory and non-statutory embodiments embraces subject matter that is not eligible for patent prosecution and therefore is directed to non-statutory subject matter. See MPEP 2106.03(II). It is suggested that claim 21 be amended to recite a “non-transitory” computer readable medium to overcome this rejection. Accordingly, Claim 1 fails to recite statutory subject matter under 35 USC 101.




Claims 1-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (abstract idea) without significantly more.

As per claim 1, in step 1 of the 101 analysis, the examiner has determined that the claim
is directed to a method. Therefore, the claim is directed to one of the four statutory categories of invention. 
	The limitations “for a data access token from a computing node, wherein the data access token is a token required to access data stored in a data storage system, and the data stored in the data storage system is required for a task scheduled for execution on the computing node”, “hat identifies the task from the request for the data access token”, and “for use by the computing node to access the data from the data storage system during execution of the task by the computing node” are intended use limitations and therefore do not have weight. 
In step 2A prong 1 of the 101 analysis, the examiner has determined that the claim recites a judicial exception. Specifically, the limitations “verifying a digital signature associated with the request for the data access token”, “querying whether the task identified by the task ID is still being executed by the computing node”, “the response indicating that the task identified by the task ID is still being executed by the computing node” are directed to a mental process. Humans can use their minds to verify a signature to extract an ID used to determine whether a task associated with said ID is still being executed by the computer, and based on whether the task with said ID is still being executed determine to send a token to allow access (i.e., Observation, Judgement, Evaluation).  
In step 2A prong 2 of the 101 analysis, the examiner has determined that the additional elements, alone or in combination do not integrate the judicial exceptions into a practical application for the following rationale: 
The limitations “receiving a request”, “extracting a task identifier (ID)”, “transmitting a message… the message including the task ID and the message”, “receiving a response”, and “subsequent to receiving the response, sending the data access token” are insignificant, extra-solution activity. The term "extra-solution activity" can be understood as "activities incidental to the primary process or product that are merely a nominal or tangential addition to the claim" (MPEP 2106.05(g)). The examiner has determined that the limitation “receiving a request”, “extracting a task identifier (ID)”, “transmitting a message… the message including the task ID and the message”, “receiving a response”, and “subsequent to receiving the response, sending the data access token” are directed to mere data gathering activity which is a category of insignificant extra-solution activities (MPEP 2106.05(g)).
The limitation “performed by a server in a computing system”, apply judicial exceptions on a generic computer. "Alappat 's rationale that an otherwise ineligible algorithm or software could be made patent-eligible by merely adding a generic computer to the claim was superseded by the Supreme Court's Bilski and Alice Corp. decisions" so therefore applying judicial exceptions on a processor which is a generic computing component does not integrate the judicial exceptions into a practical application (MPEP 2106.05(b)).
The limitation “to a computing device”, “from the computing device”, “to the computing node” merely describes attributes of the technological environment in which the abstract idea is operating. The courts have identified that generally linking the use of a judicial exception into a technological environment do not integrate a judicial exception into a practical application (MPEP 2106.04(d)(I)).

In step 2B of the 101 analysis, the examiner has determined that the additional elements, alone or in combination do not recite significantly more than the abstract ideas identified above for the following rationale: 
The limitations “receiving a request”, “extracting a task identifier (ID)”, “transmitting a message… the message including the task ID and the message”, “receiving a response”, and “subsequent to receiving the response, sending the data access token” is an insignificant, extra-solution activity. The limitations “receiving a request”, “extracting a task identifier (ID)”, “transmitting a message… the message including the task ID and the message”, “receiving a response”, and “subsequent to receiving the response, sending the data access token” is well-understood, routine, or conventional because it is directed to “receiving or transmitting data”. This is an additional element that the courts have recognized as well understood, routine, or conventional (MPEP 2106.05(d)). The citation of court cases in the MPEP meets the Berkheimer evidentiary burden since citation of a court case in the MPEP is one of the 4 types of evidentiary support that can be used to prove that the additional elements are well-understood, routine, or conventional (see 125 USPQ2d 1649 Berkheimer v. HP, Inc.). Thus, the limitation does not amount to significantly more than the abstract idea. 
The limitation “performed by a server in a computing system” apply judicial exceptions on a generic computer and therefore do not provide significantly more.
The limitations “to a computing device”, “from the computing device”, “to the computing node” merely describe attributes of the technological environment and therefore do not amount to significantly more than the exception itself (MPEP 2106.05(h)).

As per claim 11, it is a system claim of claim 1, so it is rejected for similar reasons as claim 1. Additionally, claim 11 recites “a processor”, “a memory” and “at least one network interface” which are generic computing components so they do not integrate the judicial exception into a practical application nor do they recite significantly more. 

As per claim 21, it is a method claim of claim 1, so it is rejected for similar reasons as claim 1. 

As per claim 2 and similarly for claim 12 recites “wherein the request for the data access token includes the digital signature” which further describes the request/obtained data which is insignificant resolution activity. Therefore, the additional elements do not integrate the judicial exceptions into a practical application nor do they recite significantly more. 

As per claim 3 and similarly for claim 13, it recites “receiving a request”, “digitally signing” (i.e., updating) and “transmitting the task” which are insignificant extra-solution activities and are well-understood, routine, or conventional because they are directed to “receiving or transmitting data”, it recites “wherein the task token is a token specific to the task scheduled for execution on the computing node, and wherein the request for the task token includes the task ID”, “to obtain the digital signature, and incorporating the task ID and the digital signature into the task token” which are an intended use limitation, and it recites “the computing node” which describes attributes of the technological environment”. Therefore, the additional elements do not integrate the judicial exceptions into a practical application nor do they recite significantly more.

As per claim 4 and similarly for claim 14, further defines the data received. Therefore, the additional elements do not integrate the judicial exceptions into a practical application nor do they recite significantly more.

As per claims 5-7 and similarly for claim 15-17, further defines the abstract idea in determining whether to restrict/limit access to the data based on the task ID which can be reasonably performed in the mind. Therefore, the additional elements do not integrate the judicial exceptions into a practical application nor do they recite significantly more.

As per claim 8-9 and similarly for claims 18-19, further defines the data received. Therefore, the additional elements do not integrate the judicial exceptions into a practical application nor do they recite significantly more.

As per claim 10 and similarly for claim 20, further defines the step of updating the token with additional information. Therefore, the additional elements do not integrate the judicial exceptions into a practical application nor do they recite significantly more.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5-7, 11, 12, 15-17, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Akselrod et al. (US 2020/0099691 A1) in view of Chambliss et al. (US 2017/0093844 A1).

Chambliss was cited in IDS.

Regarding claim 1, Akselrod teaches a method performed by a server in a computing system, the method comprising: 
receiving a request for a data access token from a computing node, wherein the data access token is a token required to access data stored in a data storage system, and the data stored in the data storage system is required for a task scheduled for execution on the computing node (Fig. 1D Step 131 and 138; Abstract: A request for access to an API from a user is initiated and followed by sending a request for a login credential to the user based on a type of API requested: Data API or Interaction API. The login credential is received along with the network location of the user. Authenticating the login credential and create an API specific token. [0053] Access API 111 creates and assigns the requested API token (i.e., Interaction API token or Data API token) to the user (step 138) (i.e., request for a data access token); [0041] Data API 112, generally, can be categorized as a REST API. However, more specifically, it can be a specialized REST API that can include the following programming functions: [0042] /customers/history/stats [0043] /customers/currencies/ Furthermore, those programming functions can be configured to be accessible only from within a highly secured server (i.e., located within highly secured network location 105), and only with specifically scoped authentication tokens. [0046] For example, using Airline Floo use-case, Airline Floo has a client mobile application and website that allows users to purchase tickets, save credit card information and set a few seat preferences (e.g., aisle versus window seat), and preferred currency (e.g., USD vs Euro) (i.e., task scheduled for execution). [0049] For example, Floo Airline customer, Bob, would like to change his seat assignment on an upcoming flight and uses his mobile app. Bob invokes the Floo Airline application on his mobile device.); 
verifying a digital signature associated with the request for the data access token (Abstract: The login credential is received along with the network location of the user. Authenticating the login credential; Fig. 1D Step 132; [0050] In an embodiment, Access API 111 sends a request for credentials to the user (step 132). For example, Floo Airline app would ask Bob to login into the app with his username and password. It should be noted that authentication component 114 can also be used to request credentials from the user and perform other routine authentication processes. [0051] In an embodiment, Access API 111 receives credentials for authentication from the user (step 134). Access API 111 receives, but is not limited to the following information from the user, a login credential (e.g., username, password, etc.) and a network location (e.g., Internet Protocol, cookies, domain names, etc.) of request from the user. For example, Bob (Floo Airline customer) would enter his username and password on the Floo Airline app from his mobile device.); 

While Akselrod teaches a task identifier such as completing seat assignment for a booked flight and expiration of data access tokens, Akselrod does not expressly teach extracting a task identifier (ID) that identifies the task from the request for the data access token;
transmitting a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node; 
receiving a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node; 
subsequent to receiving the response, sending the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node.

However, Chambliss teaches a method for utilizing a token to issue request for data handling (See at least [0033] and [0056-57]: I/O request against a data object (i.e., access token)). Further, Chambliss teaches extracting a task identifier (ID) that identifies the task from the request for the data access token ( [0060]: If the I/O driver 206 determines that the data object 108 is protected (YES branch from step 606), then the I/O driver searches (step 608) in the tokens table 212 for a valid token. The search is based on the process ID generating the request and the identifiers of the data object 108.);
transmitting a message to a computing device, the message including the task ID and the message querying whether the task identified by the task ID is still being executed by the computing node, receiving a response from the computing device, the response indicating that the task identified by the task ID is still being executed by the computing node ([0060]: If a token is found in the tokens table 212, the found token is validated by comparing the executable signature in the token with the executable signature associated with the process of the access program 202… The token may also have a limited span of validity. For example the span may limit the token to a number of I/Os or a definite lifetime and if the span is exhausted then the token is invalid; ¶ [0061]: In step 610, the I/O driver 206 determines whether the I/O driver 206 has a valid token);
subsequent to receiving the response, sending the data access token to the computing node for use by the computing node to access the data from the data storage system during execution of the task by the computing node ([0063]: If step 610 determines that the I/O driver 206 has a valid token (YES branch from step 610), then in step 618 the I/O driver 206 constructs an I/O request, which must be signed in order to be valid, which is sent by the client node 104 to the storage server 107. The I/O request contains the fields that would be contained in a native I/O request, as well as signature fields which are data values that are recognized by the storage server 107 as evidence of a valid certificate on the client node 104. In this embodiment using a token, the signature fields comprise a session validation field derived from the valid token. The session validation field is recognized by the storage server 107 as evidence of a valid token on the client node 104, and the presence of the token is recognized as evidence of a valid certificate. The session validation field may comprise a session identifier taken from the token, a code value drawn from a list contained in the token, and a code index indicating which element in the list is used.[0064-67]; [0068] Thus, when processing an I/O request against the protected data object 108, the storage server 107 provides the I/O request with privileged handling if the request is a signed I/O request that has been validated, and with degraded handling otherwise. Privileged handling is normal high-performance handling. In one embodiment, an I/O request or command is serviced, in step 624, with privileged access to the data object 108 after a signature in the I/O request or command is found to match metadata of the access program 202 configured for privileged access to the data object 108.).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chambliss with the teachings of Akselrod to determine based on token validity whether to allow access to particular data objects. The modification would have been motivated by the desire ensuring specific access programs to have privileged handling of data objects.

Regarding claim 2, Akselrod teaches wherein the request for the data access token includes the digital signature ([0050] In an embodiment, Access API 111 sends a request for credentials to the user (step 132). For example, Floo Airline app would ask Bob to login into the app with his username and password. It should be noted that authentication component 114 can also be used to request credentials from the user and perform other routine authentication processes. [0051] In an embodiment, Access API 111 receives credentials for authentication from the user (step 134). Access API 111 receives, but is not limited to the following information from the user, a login credential (e.g., username, password, etc.) and a network location (e.g., Internet Protocol, cookies, domain names, etc.) of request from the user. For example, Bob (Floo Airline customer) would enter his username and password on the Floo Airline app from his mobile device.).

Regarding claim 5, Chambliss teaches further comprising: 
extracting information identifying a user from the request for the data access token ([0060]: If the I/O driver 206 determines that the data object 108 is protected (YES branch from step 606), then the I/O driver searches (step 608) in the tokens table 212 for a valid token. The search is based on the process ID generating the request and the identifiers of the data object 108.); 
using the information identifying the user to determine a restriction on the user in relation to accessing the data in the data storage system ([0061]: In step 610, the I/O driver 206 determines whether the I/O driver 206 has a valid token); and 
indicating the restriction in the data access token and/or in information sent to the computing node along with the data access token ([0015]: enables a data storage system to recognize privileged access to data by certified access programs, and offers only degraded access to data by non-certified programs; [0062]; [0063]).  .

Regarding claim 6, Chambliss teaches wherein the restriction comprises at least one of the following: 
the user does not have permission to read the data in the data storage system; 
the user does not have permission to write data to the data storage system; and/or 
the user has access to only certain data in the data storage system ([0015] The present invention enables a data storage system to recognize privileged access to data by certified access programs, and offers only degraded access to data by non-certified programs; [0018] In this manner, even an authorized user who can access a given type of data could not access the data through the tool of the user's choice but just through certified programs; otherwise the access will be denied or degraded (e.g., rate-limited).). 

Regarding claim 7, Chambliss teaches further comprising: 
using the task ID to determine the restriction, wherein the restriction comprises the user only being able to access certain data in the data storage system for the task identified by the task ID ([0062]: If step 610 determines that the I/O driver 206 has no valid token (NO branch from step 610), then the I/O driver 206 posts (step 612) a work item to request a token. The work item includes the process ID, the current executable signature, and the identifiers of the data object 108. Then in step 614, the I/O driver 206 submits a native I/O request or command. For example, the native I/O request may be a READ-10 or READ-12 or READ-16 SCSI command containing a logical block address, a block count, and identifiers of the logical unit. The storage server 107 processes (step 616) the native request with degraded handling if the data object 108 is protected; [0063]).

Regarding claim 11, it is a system type claim having similar limitations as claim 1 above. Therefore, it is rejected under the same rationale above. Further, the additional limitations a server comprising: a processor, a memory, and at least one network interface are taught by Akselrod in at least [0076] “Authentication server 110 can include processor(s) 404, cache 416, memory 406, persistent storage 408, communications unit 410, input/output (I/O) interface(s) 412 and communications fabric 402. Communications fabric 402 provides communications between cache 416, memory 406, persistent storage 408, communications unit 410, and input/output (I/O) interface(s) 412. Communications fabric 402 can be implemented with any architecture designed for passing data and/or control information between processors (such as microprocessors, communications and network processors, etc.), system memory, peripheral devices, and any other hardware components within a system. For example, communications fabric 402 can be implemented with one or more buses”.

Regarding claim 12, it is a system type claim having similar limitations as claim 2 above. Therefore, it is rejected under the same rationale above.

Regarding claim 15, it is a system type claim having similar limitations as claim 5 above. Therefore, it is rejected under the same rationale above.

Regarding claim 16, it is a system type claim having similar limitations as claim 6 above. Therefore, it is rejected under the same rationale above.

Regarding claim 17, it is a system type claim having similar limitations as claim 7 above. Therefore, it is rejected under the same rationale above.

Regarding claim 21, it is a media/product type claim having similar limitations as claim 1 above. Therefore, it is rejected under the same rationale above.

Claims 8-10 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Akselrod and Chambliss as applied to claim 1, in further view of Chang et al. (US 2014/0208119 A1).

Chambliss and Chang were cited in IDS.

Regarding claim 8, Akselrod and Chambliss do not expressly teach, but Chang does teach wherein the digital signature is obtained by the server using a private key to digitally sign a data block that includes at least the task ID and information that identifies the user (¶ [0021]: one security token which contains user identity and user credentials to represent the user who is requesting services from a server, where the term "user" may refer to a device being operated by a human user or it may refer to another process. The security token (or tokens) contains two other identities, an identity of the token issuer, and an identity of the owning process. ¶ [0022]: the user first authenticates (151) to the server process using authentication credentials such as user ID and password. After a successful authentication, at least one security token is issued to represent the user identity (152). Typically, the owning process of a security token is the server process that received the user request. Typically, the issuer of the security token is a token services. The security token is digitally signed by the token services using a private key of the token service), wherein the request for the data access token comprises the digital signature, the task ID, and the information that identifies the user (Fig. 1, Token contains: user identity, user credentials, identity of the token issuer, and identity of the owning process, and is signed by token services private key). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chang with the teachings of Akselrod and Chambliss to use a digital signature to sign the data block used with the assigned token. The modification would have been motivated by the desire of ensuring that the data being accessed is only visible to the identified user, thus improving security.

Regarding claim 9, Chang teaches wherein the digital signature is a first digital signature, wherein the task ID is bound to an identity of the computing node using a second digital signature, wherein the second digital signature is received from the computing node, and wherein the second digital signature is verified by the server prior to sending the data access token to the computing node (¶ [0024] Assuming that a request message and a security token is received by a downstream server process, and that the validity and integrity of the request message and the security token is verified, and the request is authorized, the receiving server process can make downstream requests (152) on behalf of the original requester by sending the received security token along with its own server security token, and endorse the downstream request by digitally signing (second digital signature) the request message by using its server private key that is identified by the owing process private key in its owner server security token.).  

Regarding claim 10, Chang teaches wherein the server incorporates the task ID and/or the information identifying a user into the data access token (¶ [0023]: During operation, a process receiving a security token can use the issuer process name and the issuer key name to uniquely identify the public key needed to verify the token issuer digital signature. The token also contains an owning process key name which indicates the key the owning process must use to digitally sign request messages using a security token to prove the ownership of a security token.).

Regarding claim 18, it is a system type claim having similar limitations as claim 8 above. Therefore, it is rejected under the same rationale above.

Regarding claim 19, it is a system type claim having similar limitations as claim 9 above. Therefore, it is rejected under the same rationale above.

Regarding claim 20, it is a system type claim having similar limitations as claim 10 above. Therefore, it is rejected under the same rationale above.
Allowable Subject Matter
Claims 3-4 and 13-14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JORGE A CHU JOY-DAVILA whose telephone number is (571)270-0692. The examiner can normally be reached Monday-Friday, 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai T An can be reached on (571)-272-3756. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JORGE A CHU JOY-DAVILA/Primary Examiner, Art Unit 2195