Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s claims filed on 30 July 2019. Claims 1-20 remain pending.

Information Disclosure Statement
4.	The Information Disclosure Statement respectfully submitted on 30 July 2019 has been considered by the Examiner.

Claim Interpretation
5.	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

6.	This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation is: “identity intermediary” in claim 8.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
***Examiner’s Note: If the Applicant wishes to not invoke 112(f) it is recommended to modify the identity intermediary with structure such as a processor and memory configured to execute the identity intermediary. The credential provider server as defined in the Applicant’s specification para. 0030 can be interpreted as hardware and software, therefore, the mere presence of a server alone within the body of the claims is not enough to overcome the claim interpretation. 
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Leicher et al. (Pub No. 2013/0191884).
Referring to the rejection of claim 1, Leicher et al. discloses a method to be executed by a processor of an identity intermediary, the method comprising: 
receiving a request to access a first service of a plurality of services of a network from a principal; (See Leicher et al., para. 37 and 71, i.e. the user, item 600 is referred to as the principal, wherein a request to access a service is received from the user by using an OpenID identifier, such as an email address)
storing, at the identity intermediary, an identifier of the first service; (See Leicher et al., para. 71, i.e. the client, item 602 is referred to as the service provider, wherein the identifier comprises a username and the domain of an OpenID IdP stored at the service provider/identity intermediary)
transferring an unsigned credential of the principal and a principal identifier from the identity intermediary to a credential provider; (See Leicher et al., para. 71, i.e. transferring the unregistered credentials of the user and the user’s identifier from the client (service provider/identity intermediary) to the authorization server, item 604 which is referred to as the identity/credential provider)
receiving, from the credential provider, the principal identifier and the credential signed by the credential provider; (See Leicher et al., para. 71, i.e. receiving from the authorization server (identity/credential provider) the user’s identity and the signed ID token by the authorization server used for authenticating and validating the user)
and transmitting the signed credential to the first service for authentication.  (See Leicher et al., para. 71, i.e. transmitting the access token to the service for authentication and allowing the user access to the user info endpoint, item 630)

Referring to the rejection of claim 2, Leicher et al. discloses further comprising directing the principal to the credential provider, and transmitting to the credential provider instructions for redirecting the principal to the identity intermediary upon the credential provider signing the credential.  (See Leicher et al., para. 33-34 and 85)

Referring to the rejection of claim 3, Leicher et al. discloses further comprising looking up, responsive to receiving the credential, the stored identifier of the first service; and determining, from the stored identifier, to transmit the signed credential to the first service.  (See Leicher et al., para. 34 and 41)
Referring to the rejection of claim 4, Leicher et al. discloses wherein the credential is signed via a public/private key pair. (See Leicher et al., para. 84-85 and 88)

Referring to the rejection of claim 5, Leicher et al. discloses wherein each of the plurality of services of the network authenticate a principal with a like public key.  (See Leicher et al., para. 84-85, 88, and 97)

Referring to the rejection of claim 6, Leicher et al. discloses wherein each of the like public keys is a child credential generated by the identity intermediary.  (See Leicher et al., para. 83-84)

Referring to the rejection of claim 7, Leicher et al. discloses further comprising receiving a public key of a public/private key pair, wherein the public key is shared with the plurality of services of the network for authentication, and the private key is stored at the credential provider.  (See Leicher et al., para. 85, 96-97)

Referring to the rejection of claim 8, Leicher et al. discloses an authentication system comprising: 
an identity intermediary, (See Leicher et al., para. 71, i.e. the identity intermediary is referred to as the client, item 602 and is disclosed as the service provider) the identity intermediary to receive a request to access a first service of a plurality of services of a network from a principal and store a service identifier; (See Leicher et al., para. 37 and 71, i.e. the user, item 600 is referred to as the principal, wherein a request to access a service is received from the user by using an OpenID identifier, such as an email address. The client, item 602 is referred to as the service provider, wherein the identifier comprises a username and the domain of an OpenID IdP stored at the service provider/identity intermediary)
and a credential provider server, (See Leicher et al., para. 71, i.e. the credential provider server is referred to as the authorization server, item 604 ) the credential provider server to: receive an unsigned credential of the principal and a principal identifier from the identity intermediary; (See Leicher et al., para. 71, i.e. transferring the unregistered credentials of the user and the user’s identifier from the client (service provider/identity intermediary) to the authorization server, item 604 which is referred to as the identity/credential provider)
sign the credential upon verification of the principal; (See Leicher et al., para. 71, i.e. receiving from the authorization server (identity/credential provider) the user’s identity and the signed ID token by the authorization server used for authenticating and validating the user)
and transmit the signed credential and the principal identifier to the identity intermediary; wherein the identity intermediary, upon receiving the signed credential, and principal identifier, directs the principal to the first service. (See Leicher et al., para. 71, i.e. transmitting the access token to the service for authentication and allowing the user access to the user info endpoint, item 630)

Referring to the rejection of claim 9, Leicher et al. discloses wherein the credential provider server receives the principal from the identity intermediary, and the identity intermediary transmits to the credential provider server, instructions for redirecting the principal to the identity intermediary.  (See Leicher et al., para. 33-34 and 85)

Referring to the rejection of claim 10, Leicher et al. discloses wherein the identity intermediary stores an identifier of the first service responsive to receiving the request to access the first service from the principal.  (See Leicher et al., para. 123-124)

Referring to the rejection of claim 11, Leicher et al. discloses wherein the instructions for redirecting the principal are transmitted to the credential provider server through a payload.  (See Leicher et al., para. 111)

Referring to the rejection of claim 12, Leicher et al. discloses wherein the identity intermediary, responsive to receiving the signed credential and the principal identifier, looks up the stored identifier of the first service with the principal identifier, and determines, from the stored identifier, to transmit the principal to the first service.  (See Leicher et al., para. 34 and 41)

Referring to the rejection of claim 13, Leicher et al. discloses wherein the credential is signed via a private key of the credential provider.  (See Leicher et al., para. 95-98)
Referring to the rejection of claim 14, Leicher et al. discloses wherein a private key of a generated public/private key pair is provided to the credential provider server, and a public key of the public/private key pair is provided to the identity intermediary upon a configuration of the authentication system.  (See Leicher et al., para. 84-85 and 88)

Referring to the rejection of claim 15, Leicher et al. discloses wherein the identity intermediary generates a child credential from the public key and provides the child credential to the plurality of services of the network.  (See Leicher et al., para. 83-84)

Referring to the rejection of claim 16, Leicher et al. discloses a non-transitory machine readable medium comprising instructions executable by a processor for transmission of a principal to a service for authentication, the processor upon execution to: (See Leicher et al., para. 145, i.e. processor, item 1418 and non-transitory machine readable medium, item 1430)
receive a request to access a first service of a plurality of services of a network from a principal; (See Leicher et al., para. 37 and 71, i.e. the user, item 600 is referred to as the principal, wherein a request to access a service is received from the user by using an OpenID identifier, such as an email address)
transfer the principal and a principal identifier to a credential provider; (See Leicher et al., para. 71, i.e. transferring the unregistered credentials of the user and the user’s identifier from the client (service provider/identity intermediary) to the authorization server, item 604 which is referred to as the identity/credential provider)
receive the principal identifier and credential signed by the credential provider from the principal; (See Leicher et al., para. 71, i.e. receiving from the authorization server (identity/credential provider) the user’s identity and the signed ID token by the authorization server used for authenticating and validating the user)
and transmit the principal to the first service for authentication.  (See Leicher et al., para. 71, i.e. transmitting the access token to the service for authentication and allowing the user access to the user info endpoint, item 630)

Referring to the rejection of claim 17, Leicher et al. discloses further comprising instructions to store an identifier of the first service.  (See Leicher et al., para. 123-124)

Referring to the rejection of claim 18, Leicher et al. discloses further comprising instructions to transmit to the credential provider, instructions for directing the principal to the first service upon a transmission of the credential from the credential provider to the principal.  (See Leicher et al., para. 87-88 and 97)

Referring to the rejection of claim 19, Leicher et al. discloses further comprising instructions to look up, responsive to receiving the credential, the stored identifier of the first service; and determining, from the stored identifier, to transmit the principal to the first service.  (See Leicher et al., para. 34 and 41)

Referring to the rejection of claim 20, Leicher et al. discloses wherein the credential is signed via a public/private key pair. (See Leicher et al., para. 84-85 and 88)


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/COURTNEY D FIELDS/Examiner, Art Unit 2436                                                                                                                                                                                                        October 18, 2022

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436