DETAILED ACTION

1. 	This correspondence is in response to AMENDMENTS and REMARKS filed on 24/08/2022.

2. 	Claims 1-20 are pending. Claims 1, 7, and 14 are in independent forms. Claims 1, 7, 14, and 17 has been amended. 
Information Disclosure Statement
3. 	The information disclosure statements (I DS's) submitted on 08/09/2022 is in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments

4. 	Applicant's arguments filed on 24 August 2022 have been fully considered but they are not persuasive.
I) 	In response to applicant's arguments on page 8, Applicant submits that the references, alone or in any combination, do not teach a first SCP subsystem that identifies a second SCP subsystem and signs a first SCP authentication communication with a first private key to provide a first signed SCP authentication communication, transmits the first signed SCP authentication communication to the second SCP subsystem, receives a second signed SCP authentication communication from the second SCP subsystem and authenticates the second signed SCP authentication communication using a second public key associated with the second SCP subsystem, establishes a first secure communication channel with the second SCP subsystem in response to authenticating the second signed SCP authentication communication, and receives an attestation of an authentication of the third SCP subsystem from the second SCP subsystem and, in response, establishes a second secure communication channel with the third SCP subsystem without the transmission of signed SCP authentication communications, as recited by amended independent claim 1, and as substantially recited by amended independent claims 7 and 14.
	The examiner respectfully disagrees with the argument. The applicant argued that the combination of Scruby and Khan does not teach a first SCP subsystem that identifies a second SCP subsystem and signs a first SCP authentication communication with a first private key to provide a first signed SCP authentication communication, as stated in the office action the combination of Scruby and Khan reference teaches the challenge code may identify and/or be unique to user A's authentication attempt. CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145. Furthermore, the combination teaches In step 804, the client device A 720 may encode, via the application, one or more of the pieces of data included in the attestation request received from the server 730. The client device A 720 may encode the challenge code, the server identifier, and/or the information identifying user A and/or device A 720  (see Scruby 0129).
II)	 In response to applicant's arguments on page 8, Applicant submits that the references, alone or in any combination, do not teach transmits the first signed SCP authentication communication to the second SCP subsystem.
	The examiner respectfully disagrees with the argument. The applicant argued that the combination does not teach transmits the first signed SCP authentication communication to the second SCP subsystem. Contrary to the applicant assertion, as stated in the office action the combination of Scruby and Khan reference teaches at step 624 of process 600, processor 102 (e.g., AP 102a) may receive such secure element authorization response data 672 of step 622 and then generate and transmit any suitable Auth Key response data 674 to commercial entity subsystem 400 (e.g., HSM 402). Such Auth Key response data 674 may include the encrypted Auth Keys of step 616 and/or the HMAC_SEP computed at step 617 and/or ECID of step 617, one or more of which may be signed by the SE signature of secure element authorization response data 672 of step 622. Furthermore, the combination teaches at step 610 of process 600, commercial entity subsystem 400 (e.g., HSM 402 of commercial entity subsystem 400 of FIG. 1A) may generate and transmit Auth Key request data 660 to processor 102 (e.g., to AP 102a). Such Auth Key request data 660 may include any suitable data that may be received by processor 102 and utilized by device 100 to generate and share Auth Keys with commercial entity subsystem 400. For example, such Auth Key request data 660 may include an HSM Challenge and/or an HSM Certificate (“Cert.”) (see Khan par. 0065).
III)	 In response to applicant's arguments on page 8, Applicant submits that the references, alone or in any combination, do not teach receives a second signed SCP authentication communication from the second SCP subsystem and authenticates the second signed SCP authentication communication using a second public key associated with the second SCP subsystem.
	The examiner respectfully disagrees with the argument. The applicant argued that the combination does not teach transmits the first signed SCP authentication communication to the second SCP subsystem. Contrary to the applicant assertion, as stated in the office action the combination of Scruby and Khan reference teaches at step 625 of process 600, commercial entity subsystem 400 (e.g., HSM 402) may validate CASD-Cert. 158c, which may be received by commercial entity subsystem 400 as at least a portion of Auth Key response data 674 at step 624 (e.g., a portion of Auth Key response data 674 provided to processor 102 by secure element 145 as at least a portion of secure element response data 662 of step 612). Furthermore, the combination teaches at step 616, processor 102 (e.g., SEP 102b) may encrypt such Auth Keys using any suitable data, such as an HSM public key (e.g., and HSM PK), where such an HSM PK may have been received by processor 102 or otherwise accessed by processor 102 through receipt of Auth Key request data 660 (e.g., HSM Challenge and/or HSM Cert.) and/or by a root public key accessible by code available to processor 102, where such encryption may prevent the Auth Keys being shared from being used by any entity unable to decrypt such an encryption (e.g., any entity other than commercial entity subsystem 400, which may also have access to that public key HSM PK (e.g., as accessible to commercial entity subsystem 400 prior to or at step 610)) (see Khan par. 0068).
IV)	 In response to applicant's arguments on page 8, Applicant submits that the references, alone or in any combination, do not teach establish, in response to authenticating the second signed SCP authentication communication, a first secure communication channel with the second SCP subsystem.
	The examiner respectfully disagrees with the argument. The applicant argued that the combination does not teach establish, in response to authenticating the second signed SCP authentication communication, a first secure communication channel with the second SCP subsystem. Contrary to the applicant assertion, as stated in the office action the combination of Scruby and Khan reference teaches the server 730 may authenticate user A based on the received credentials. After authenticating user A based on the credentials, the server 730 may determine to request attestation of user A's identity. Accordingly, device A 720 may be authenticated via multi-factor authentication. CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145 (e.g., using associated CASD data at commercial entity subsystem 400). Furthermore, the combination teaches at step 622 of process 600, secure element 154 may generate and transmit secure element authorization response data 672 to processor 102 (e.g., AP 102a), which may include any suitable data, such as an SE Signature, which may sign one or more portions of authorization request data 670 (e.g., one or more or all of the encrypted Auth Keys of step 616 and/or HMAC_SEP computed at step 617 and/or ECID of step 617) with any suitable key, such as private key CASD-SK 158a of CASD 158 of secure element 145 (see Khan par. 0069).
V)	 In response to applicant's arguments on page 8, Applicant submits that the references, alone or in any combination, do not teach receive, from the second SCP subsystem, an attestation of an authentication of the third SCP subsystem and, in response, establish a second secure communication channel with the third SCP subsystem without the transmission of signed SCP authentication communications.
	The examiner respectfully disagrees with the argument. The applicant argued that the combination does not teach receive, from the second SCP subsystem, an attestation of an authentication of the third SCP subsystem and, in response, establish a second secure communication channel with the third SCP subsystem without the transmission of signed SCP authentication communications. Contrary to the applicant assertion, as stated in the office action the combination of Scruby and Khan reference teaches the server 730 may also verify the information identifying user A and/or device A 720. The server 730 may also verify that user B is part of the group of users that can attest to user A's identity. If the information is verified, server 730 may accept the attestation of user A by device B 740. At step 620 of process 600, processor 102 (e.g., AP 102a) may generate and transmit secure element authorization request data 670 to secure element 145. Such secure element authorization request data 670 may include any suitable data that may be received by secure element 145 for generating a secure element signature on at least a portion of such data. Furthermore, the combination teaches server 730 may grant device A 720 read access to one or more files if one device (e.g., device B 740) attests to user A's identity. Server 730 may grant device A 720 write access to the one or more files if two devices (e.g., device B 740 and another device) attest to user A's identity. Device A 720 may be granted greater access privileges the more devices attest to user A's identity. In some aspects, the level of access device A 720 has to resources may be based on the level of access of other devices used to attest to user A's identity. For example, device A 720 may access resources that device B 740 can access if device B 740 attests to user A's identity. If another device with higher (or lower) access privileges attests to user A's identity, server 730 may grant device A 720 access to resources that that other device can access (see Scruby par. 0123).
VI)	 In response to applicant's arguments on page 8, Applicant submits that the references, alone or in any combination, do not teach as substantially recited by amended independent claims 7 and 14.
	Examiner respectfully refers applicant to the above response in items I-V.
VII)	In response to applicant's arguments on page 11, Applicant submits that the references, alone or in any combination, do not teach Dependent claims 2-6 depend from and further limit amended independent claim 1, dependent claims 8-13 depend from and further limit amended independent claim 7, dependent claims 15-20 depend from and further limit amended independent claim 14, and as Khan does not teach anything to remedy the deficiencies of Scruby, each is submitted as allowable for at least the reasons discussed above.	
	Examiner respectfully refers applicant to the above response in items I-V.

Claim Rejections - 35 USC § 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Scruby US Patent Application Publication No. 2019/0149539 (hereinafter Scruby) in view of Khan et al. US Patent Application Publication No. 2016/0344710 (hereinafter Khan).
Regarding claim 1, Scruby discloses a distributed secure communication system, comprising: 			“a third System Control Processor (SCP) subsystem” (Fig. 7, Device B 740) 				“a second SCP subsystem (Fig. 7, Device A 720) that is coupled to the third SCP subsystem via a network” (see Scruby par. 0116, In step 705, user B (or user A) may open an application on device B 740 and use device B's camera to scan the code (e.g., QR code) displayed on device A 720); and a first SCP subsystem (Fig. 7, server 730) that is coupled to the second SCP subsystem and the third SCP subsystem via the network (see Scruby par. 0120, In step 709, the server 730 may verify that the data received from device B 740 corresponds to the data sent to device A 720 (e.g., in step 703), wherein the first SCP subsystem is configured to:
 “identify the second SCP subsystem and, (see Scruby par. 0112, In step 703, the server 730 may generate a challenge code, such as a one-time challenge code. The challenge code may identify and/or be unique to user A's authentication attempt); establish, in response to authenticating the second (see Scruby par. 0111, The server 730 may authenticate user A based on the received credentials. After authenticating user A based on the credentials, the server 730 may determine to request attestation of user A's identity. Accordingly, device A 720 may be authenticated via multi-factor authentication); and receive, from the second SCP subsystem, an attestation of an authentication of the third SCP subsystem and, (see Scruby par. 0120, In step 709, the server 730 may verify that the data received from device B 740 corresponds to the data sent to device A 720 (e.g., in step 703). For example, the server 730 may compare the received challenge code to the challenge code the server 730 previously generated. The server 730 may also verify the information identifying user A and/or device A 720. The server 730 may also verify that user B is part of the group of users that can attest to user A's identity. If the information is verified, server 730 may accept the attestation of user A by device B 740);
 but Scruby does not explicitly discloses 
transmit the first signed SCP authentication communication to the second SCP subsystem; receive a second signed SCP authentication communication from the second SCP subsystem and, in response, authenticate the second signed SCP authentication communication using a second public key associated with the second SCP subsystem; (see Khan par. 0040, CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145 (e.g., using associated CASD data at commercial entity subsystem 400)); transmit the first signed SCP authentication communication to the second SCP subsystem; (see Khan par. 0069, at step 624 of process 600, processor 102 (e.g., AP 102a) may receive such secure element authorization response data 672 of step 622 and then generate and transmit any suitable Auth Key response data 674 to commercial entity subsystem 400 (e.g., HSM 402). Such Auth Key response data 674 may include the encrypted Auth Keys of step 616 and/or the HMAC_SEP computed at step 617 and/or ECID of step 617, one or more of which may be signed by the SE signature of secure element authorization response data 672 of step 622 (e.g., CASD-SK 158a), and/or CASD-Cert. 158c of secure element response data 662 of step 612 and/or SEID 158f of secure element response data 662 of step 612); receive a second signed SCP authentication communication from the second SCP subsystem and, in response, authenticate the second signed SCP authentication communication using a second public key associated with the second SCP subsystem (see Khan par. 0070, at step 625 of process 600, commercial entity subsystem 400 (e.g., HSM 402) may validate CASD-Cert. 158c, which may be received by commercial entity subsystem 400 as at least a portion of Auth Key response data 674 at step 624 (e.g., a portion of Auth Key response data 674 provided to processor 102 by secure element 145 as at least a portion of secure element response data 662 of step 612). In some embodiments, a root public key that may be used for validating CASD-Cert. 158c may be accessible to commercial entity subsystem 400 (e.g., such a root public key (e.g., CASD-PK 158b or otherwise) may have been provided to commercial entity subsystem 400 as at least a portion of data 656 at step 606 by secure element vendor subsystem 450). Alternatively or additionally, at step 626 of process 600, commercial entity subsystem 400 (e.g., HSM 402) may validate an SE Signature, which may be received by commercial entity subsystem 400 as at least a portion of Auth Key response data 674 at step 624); signed SCP authentication communication (see Khan par. 0040, CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145 (e.g., using associated CASD data at commercial entity subsystem 400)); in response, establish a second secure communication channel with the third SCP subsystem without the transmission of signed SCP authentication communications (see Khan par. 0069, At step 620 of process 600, processor 102 (e.g., AP 102a) may generate and transmit secure element authorization request data 670 to secure element 145. Such secure element authorization request data 670 may include any suitable data that may be received by secure element 145 for generating a secure element signature on at least a portion of such data. For example, such secure element authorization request data 670 may include an “Internal Auth” command with the encrypted Auth Keys of step 616 and/or HMAC_SEP computed at step 617 and/or ECID of step 617).							Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	                                                                                    
Regarding claim 2, Scruby in view of Khan discloses the system of claim 1, 			Scruby further discloses wherein the first SCP subsystem is configured to: monitor for SCP subsystems and, in response, identify the second SCP subsystem (see Scruby par. 0131, In step 805, user B may open an application on device B 740 and use device B's camera to scan the code (e.g., QR code) displayed on device A 720. Device B 740 may decode the data encoded in the code. By scanning and decoding the code, device B 740 may access the challenge code from the server 730, server identifier(s), and/or information identifying user A and/or device A 720).
Regarding claim 3, Scruby in view of Khan discloses the system of claim 1, 			Khan further discloses wherein the first SCP subsystem is configured to: retrieve, via a network, the second public key associated with the second SCP subsystem (see Khan par. 0072, an HSM Cert. may be a certified public key, which may be certified by a manufacturer of device 100, and where such a root public key (e.g., an HSM PK) may be included or accessible to code that may have been provided to processor 102 (e.g., SEP 102b) by that manufacturer or otherwise (e.g., prior to step 610), such that processor 102 (e.g., SEP 102b) may properly validate the HSM Cert. and, thus, validate the source of the request for the Auth Key (e.g., commercial entity subsystem 400)).				Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	
Regarding claim 4, Scruby in view of Khan discloses the system of claim 1, 			Scruby further discloses wherein the first SCP subsystem is configured to: transmit, via the first secure communication channel, first control communications with the second SCP subsystem (see Scruby par. 0112, In step 703, the server 730 may generate a challenge code, such as a one-time challenge code. The challenge code may identify and/or be unique to user A's authentication attempt); and transmit, via the second secure communication channel, second control communications with the third SCP subsystem (see Scruby par. 0116, In step 705, user B (or user A) may open an application on device B 740 and use device B's camera to scan the code (e.g., QR code) displayed on device A 720).
Regarding claim 5, Scruby in view of Khan discloses the system of claim 4, 			Scruby further discloses wherein the first SCP subsystem is configured to: transmit, via a first unsecured communication channel, first data communications with the second SCP subsystem (see Scruby par. 0071, The secure applications may have a dual-mode option 540. The dual mode option 540 may present the user with an option to operate the secured application in an unsecured or unmanaged mode); and transmit, via a second unsecured communication channel, second data communications with the third SCP subsystem (see Scruby par. 0071, In an unsecured or unmanaged mode, the secure applications may access data stored in an unsecured data container 542 on the unmanaged partition 512 of the mobile device 502. The data stored in an unsecured data container may be personal data 544. The data stored in an unsecured data container 542 may also be accessed by unsecured applications 548 that are running on the unmanaged partition 512 of the mobile device 502).
Regarding claim 6, Scruby in view of Khan discloses the system of claim 1, 			Khan further discloses wherein the attestation of the authentication of the third SCP subsystem includes: a third public key associated with the third SCP subsystem; and third SCP subsystem communication connection information (see Khan par. 0072, At step 633, process 600 may include commercial entity subsystem 400 (e.g., HSM 402) generating an ephemeral key pair, such as an ephemeral public key ePK and an ephemeral private key eSK. Next, at step 634, process 600 may include commercial entity subsystem 400 sharing such a commercial entity ephemeral public key ePK with secure element 145 as ephemeral public key data 684 (e.g., via the initial secure channel setup at steps 630 and 632)).												Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	
Regarding claim 7, Scruby discloses an Information Handling System (IHS), comprising: 			“a processing system” (Fig. 1, Par. 0031, Each component 103, 105, 107, 109 may be any type of known computer, server, or data processing device);	and a memory system (Fig. 1, Memory 121) that is coupled to the processing system and that includes instructions that, when executed by the processing system, cause the processing system to provide a distributed secure communication engine that is configured to: 										“identify a second System Control Processor (SCP) subsystem and, (see Scruby par. 0112, In step 703, the server 730 may generate a challenge code, such as a one-time challenge code. The challenge code may identify and/or be unique to user A's authentication attempt);  establish, in response to authenticating the second(see Scruby par. 0111, The server 730 may authenticate user A based on the received credentials. After authenticating user A based on the credentials, the server 730 may determine to request attestation of user A's identity. Accordingly, device A 720 may be authenticated via multi-factor authentication); and receive a second signed SCP authentication communication from the second SCP subsystem and, (see Scruby par. 0120, In step 709, the server 730 may verify that the data received from device B 740 corresponds to the data sent to device A 720 (e.g., in step 703). For example, the server 730 may compare the received challenge code to the challenge code the server 730 previously generated. The server 730 may also verify the information identifying user A and/or device A 720. The server 730 may also verify that user B is part of the group of users that can attest to user A's identity. If the information is verified, server 730 may accept the attestation of user A by device B 740); receive, from the second SCP subsystem, an attestation of an authentication of the third SCP subsystem and,  (see Scruby par. 0120, In step 709, the server 730 may verify that the data received from device B 740 corresponds to the data sent to device A 720 (e.g., in step 703). For example, the server 730 may compare the received challenge code to the challenge code the server 730 previously generated. The server 730 may also verify the information identifying user A and/or device A 720. The server 730 may also verify that user B is part of the group of users that can attest to user A's identity. If the information is verified, server 730 may accept the attestation of user A by device B 740);				but Scruby does not explicitly discloses ; transmit the first signed SCP authentication communication to the second SCP subsystem; receive a second signed SCP authentication communication from the second SCP subsystem and, in response, authenticate the second signed SCP authentication communication using a second public key associated with the second SCP subsystem; (see Khan par. 0040, CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145 (e.g., using associated CASD data at commercial entity subsystem 400)); transmit the first signed SCP authentication communication to the second SCP subsystem; (see Khan par. 0069, at step 624 of process 600, processor 102 (e.g., AP 102a) may receive such secure element authorization response data 672 of step 622 and then generate and transmit any suitable Auth Key response data 674 to commercial entity subsystem 400 (e.g., HSM 402). Such Auth Key response data 674 may include the encrypted Auth Keys of step 616 and/or the HMAC_SEP computed at step 617 and/or ECID of step 617, one or more of which may be signed by the SE signature of secure element authorization response data 672 of step 622 (e.g., CASD-SK 158a), and/or CASD-Cert. 158c of secure element response data 662 of step 612 and/or SEID 158f of secure element response data 662 of step 612); receive a second signed SCP authentication communication from the second SCP subsystem and, in response, authenticate the second signed SCP authentication communication using a second public key associated with the second SCP subsystem (see Khan par. 0070, at step 625 of process 600, commercial entity subsystem 400 (e.g., HSM 402) may validate CASD-Cert. 158c, which may be received by commercial entity subsystem 400 as at least a portion of Auth Key response data 674 at step 624 (e.g., a portion of Auth Key response data 674 provided to processor 102 by secure element 145 as at least a portion of secure element response data 662 of step 612). In some embodiments, a root public key that may be used for validating CASD-Cert. 158c may be accessible to commercial entity subsystem 400 (e.g., such a root public key (e.g., CASD-PK 158b or otherwise) may have been provided to commercial entity subsystem 400 as at least a portion of data 656 at step 606 by secure element vendor subsystem 450). Alternatively or additionally, at step 626 of process 600, commercial entity subsystem 400 (e.g., HSM 402) may validate an SE Signature, which may be received by commercial entity subsystem 400 as at least a portion of Auth Key response data 674 at step 624); signed SCP authentication communication (see Khan par. 0040, CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145 (e.g., using associated CASD data at commercial entity subsystem 400)); in response, establish a second secure communication channel with the third SCP subsystem without the transmission of signed SCP authentication communications (see Khan par. 0069, At step 620 of process 600, processor 102 (e.g., AP 102a) may generate and transmit secure element authorization request data 670 to secure element 145. Such secure element authorization request data 670 may include any suitable data that may be received by secure element 145 for generating a secure element signature on at least a portion of such data. For example, such secure element authorization request data 670 may include an “Internal Auth” command with the encrypted Auth Keys of step 616 and/or HMAC_SEP computed at step 617 and/or ECID of step 617).							Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	                                                                            
Regarding claim 8, Scruby in view of Khan discloses the IHS of claim 7, 				Scruby further discloses wherein the distributed secure communication engine is configured to: monitor for SCP subsystems and, in response, identify the second SCP subsystem (see Scruby par. 0131, In step 805, user B may open an application on device B 740 and use device B's camera to scan the code (e.g., QR code) displayed on device A 720. Device B 740 may decode the data encoded in the code. By scanning and decoding the code, device B 740 may access the challenge code from the server 730, server identifier(s), and/or information identifying user A and/or device A 720).
Regarding claim 9, Scruby in view of Khan discloses the IHS of claim 7, 				Khan further discloses wherein the distributed secure communication engine is configured to: retrieve, via a network, the second public key associated with the second SCP subsystem (see Khan par. 0072, an HSM Cert. may be a certified public key, which may be certified by a manufacturer of device 100, and where such a root public key (e.g., an HSM PK) may be included or accessible to code that may have been provided to processor 102 (e.g., SEP 102b) by that manufacturer or otherwise (e.g., prior to step 610), such that processor 102 (e.g., SEP 102b) may properly validate the HSM Cert. and, thus, validate the source of the request for the Auth Key (e.g., commercial entity subsystem 400)). 
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	
Regarding claim 10, Scruby in view of Khan discloses the IHS of claim 7, 				Scruby further discloses wherein the distributed secure communication engine is configured to: transmit, via the first secure communication channel, first control communications with the second SCP subsystem (see Scruby par. 0112, In step 703, the server 730 may generate a challenge code, such as a one-time challenge code. The challenge code may identify and/or be unique to user A's authentication attempt); and transmit, via the second secure communication channel, second control communications with the third SCP subsystem (see Scruby par. 0116, In step 705, user B (or user A) may open an application on device B 740 and use device B's camera to scan the code (e.g., QR code) displayed on device A 720).
Regarding claim 11, Scruby in view of Khan discloses the IHS of claim 10, 				Scruby further discloses wherein the distributed secure communication engine is configured to: transmit, via a first unsecured communication channel, first data communications with the second SCP subsystem (see Scruby par. 0071, The secure applications may have a dual-mode option 540. The dual mode option 540 may present the user with an option to operate the secured application in an unsecured or unmanaged mode);  and transmit, via a second unsecured communication channel, second data communications with the third SCP subsystem (see Scruby par. 0071, In an unsecured or unmanaged mode, the secure applications may access data stored in an unsecured data container 542 on the unmanaged partition 512 of the mobile device 502. The data stored in an unsecured data container may be personal data 544. The data stored in an unsecured data container 542 may also be accessed by unsecured applications 548 that are running on the unmanaged partition 512 of the mobile device 502).
Regarding claim 12, Scruby in view of Khan discloses the IHS of claim 7, 				Khan further discloses wherein the attestation of the authentication of the third SCP subsystem includes: a third public key associated with the third SCP subsystem; and third SCP subsystem communication connection information (see Khan par. 0072, At step 633, process 600 may include commercial entity subsystem 400 (e.g., HSM 402) generating an ephemeral key pair, such as an ephemeral public key ePK and an ephemeral private key eSK. Next, at step 634, process 600 may include commercial entity subsystem 400 sharing such a commercial entity ephemeral public key ePK with secure element 145 as ephemeral public key data 684 (e.g., via the initial secure channel setup at steps 630 and 632)).												Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	
Regarding claim 13, Scruby in view of Khan discloses the IHS of claim 7, 				Scruby further discloses wherein the distributed secure communication engine is configured to: receive, from the third SCP subsystem, an attestation of an authentication of a fourth SCP subsystem (see Scruby par. 0120, In step 709, the server 730 may verify that the data received from device B 740 corresponds to the data sent to device A 720 (e.g., in step 703). For example, the server 730 may compare the received challenge code to the challenge code the server 730 previously generated. The server 730 may also verify the information identifying user A and/or device A 720. The server 730 may also verify that user B is part of the group of users that can attest to user A's identity. If the information is verified, server 730 may accept the attestation of user A by device B 740); and, in response, establish a third secure communication channel with the fourth SCP subsystem without the transmission of signed SCP authentication communications (see Khan par. 0069, At step 620 of process 600, processor 102 (e.g., AP 102a) may generate and transmit secure element authorization request data 670 to secure element 145. Such secure element authorization request data 670 may include any suitable data that may be received by secure element 145 for generating a secure element signature on at least a portion of such data. For example, such secure element authorization request data 670 may include an “Internal Auth” command with the encrypted Auth Keys of step 616 and/or HMAC_SEP computed at step 617 and/or ECID of step 617).	
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	
					
Regarding claim 14, Scruby further discloses a method for providing distributed secure communications, comprising: 									“identifying, by a first System Control Processor (SCP) subsystem, a second SCP subsystem and, (see Scruby par. 0112, In step 703, the server 730 may generate a challenge code, such as a one-time challenge code. The challenge code may identify and/or be unique to user A's authentication attempt);                                                                                      	establishing, by the first SCP subsystem (see Scruby par. 0111, The server 730 may authenticate user A based on the received credentials. After authenticating user A based on the credentials, the server 730 may determine to request attestation of user A's identity. Accordingly, device A 720 may be authenticated via multi-factor authentication);	and receiving, by the first SCP subsystem, a second signed SCP authentication communication from the second SCP subsystem (see Scruby par. 0120, In step 709, the server 730 may verify that the data received from device B 740 corresponds to the data sent to device A 720 (e.g., in step 703). For example, the server 730 may compare the received challenge code to the challenge code the server 730 previously generated. The server 730 may also verify the information identifying user A and/or device A 720. The server 730 may also verify that user B is part of the group of users that can attest to user A's identity. If the information is verified, server 730 may accept the attestation of user A by device B 740);				but Scruby does not explicitly discloses ; transmitting, by the first SCP subsystem, the first signed SCP authentication communication to the second SCP subsystem; receive a second signed SCP authentication communication from the second SCP subsystem and, in response, authenticate the second signed SCP authentication communication using a second public key associated with the second SCP subsystem; (see Khan par. 0040, CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145 (e.g., using associated CASD data at commercial entity subsystem 400)); transmit the first signed SCP authentication communication to the second SCP subsystem; (see Khan par. 0069, at step 624 of process 600, processor 102 (e.g., AP 102a) may receive such secure element authorization response data 672 of step 622 and then generate and transmit any suitable Auth Key response data 674 to commercial entity subsystem 400 (e.g., HSM 402). Such Auth Key response data 674 may include the encrypted Auth Keys of step 616 and/or the HMAC_SEP computed at step 617 and/or ECID of step 617, one or more of which may be signed by the SE signature of secure element authorization response data 672 of step 622 (e.g., CASD-SK 158a), and/or CASD-Cert. 158c of secure element response data 662 of step 612 and/or SEID 158f of secure element response data 662 of step 612); receiving, by the first SCP subsystem from the second SCP subsystem, an attestation of an authentication of a third SCP subsystem and, in response, establishing a second secure communication channel with the third SCP subsystem without the transmission of signed SCP authentication communications (see Khan par. 0070, at step 625 of process 600, commercial entity subsystem 400 (e.g., HSM 402) may validate CASD-Cert. 158c, which may be received by commercial entity subsystem 400 as at least a portion of Auth Key response data 674 at step 624 (e.g., a portion of Auth Key response data 674 provided to processor 102 by secure element 145 as at least a portion of secure element response data 662 of step 612). In some embodiments, a root public key that may be used for validating CASD-Cert. 158c may be accessible to commercial entity subsystem 400 (e.g., such a root public key (e.g., CASD-PK 158b or otherwise) may have been provided to commercial entity subsystem 400 as at least a portion of data 656 at step 606 by secure element vendor subsystem 450). Alternatively or additionally, at step 626 of process 600, commercial entity subsystem 400 (e.g., HSM 402) may validate an SE Signature, which may be received by commercial entity subsystem 400 as at least a portion of Auth Key response data 674 at step 624); signed SCP authentication communication (see Khan par. 0040, CASD 158 may be configured to sign any data that is provided by secure element 145 such that other subsystems (e.g., commercial entity subsystem 400) may be able to confirm that such signed data was signed by secure element 145 (e.g., using associated CASD data at commercial entity subsystem 400)); in response, establish a second secure communication channel with the third SCP subsystem without the transmission of signed SCP authentication communications (see Khan par. 0069, At step 620 of process 600, processor 102 (e.g., AP 102a) may generate and transmit secure element authorization request data 670 to secure element 145. Such secure element authorization request data 670 may include any suitable data that may be received by secure element 145 for generating a secure element signature on at least a portion of such data. For example, such secure element authorization request data 670 may include an “Internal Auth” command with the encrypted Auth Keys of step 616 and/or HMAC_SEP computed at step 617 and/or ECID of step 617).			Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	                                                                            
Regarding claim 15, Scruby in view of Khan discloses the method of claim 14, 			Scruby further discloses monitoring, by the first SCP subsystem, for SCP subsystems and, in response, identifying the second SCP subsystem (see Scruby par. 0131, In step 805, user B may open an application on device B 740 and use device B's camera to scan the code (e.g., QR code) displayed on device A 720. Device B 740 may decode the data encoded in the code. By scanning and decoding the code, device B 740 may access the challenge code from the server 730, server identifier(s), and/or information identifying user A and/or device A 720).
Regarding claim 16, Scruby in view of Khan discloses the method of claim 14, 			Khan further discloses retrieving, by the first SCP subsystem via a network, the second public key associated with the second SCP subsystem (see Khan par. 0072, an HSM Cert. may be a certified public key, which may be certified by a manufacturer of device 100, and where such a root public key (e.g., an HSM PK) may be included or accessible to code that may have been provided to processor 102 (e.g., SEP 102b) by that manufacturer or otherwise (e.g., prior to step 610), such that processor 102 (e.g., SEP 102b) may properly validate the HSM Cert. and, thus, validate the source of the request for the Auth Key (e.g., commercial entity subsystem 400)).						Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	
Regarding claim 17, Scruby in view of Khan discloses the method of claim 14, 			Scruby further discloses transmitting, by the first SCP subsystem via the first secure communication channel, first control communications with the second SCP subsystem (see Scruby par. 0112, In step 703, the server 730 may generate a challenge code, such as a one-time challenge code. The challenge code may identify and/or be unique to user A's authentication attempt); and transmitting, by the first SCP subsystem via the second secure communication channel, second control communications with the third SCP subsystem (see Scruby par. 0116, In step 705, user B (or user A) may open an application on device B 740 and use device B's camera to scan the code (e.g., QR code) displayed on device A 720).
Regarding claim 18, Scruby in view of Khan discloses the method of claim 17, 			Scruby further discloses transmitting, by the first SCP subsystem via a first unsecured communication channel, first data communications with the second SCP subsystem (see Scruby par. 0071, The secure applications may have a dual-mode option 540. The dual mode option 540 may present the user with an option to operate the secured application in an unsecured or unmanaged mode);   and transmitting, by the first SCP subsystem via a second unsecured communication channel, second data communications with the third SCP subsystem (see Scruby par. 0071, In an unsecured or unmanaged mode, the secure applications may access data stored in an unsecured data container 542 on the unmanaged partition 512 of the mobile device 502. The data stored in an unsecured data container may be personal data 544. The data stored in an unsecured data container 542 may also be accessed by unsecured applications 548 that are running on the unmanaged partition 512 of the mobile device 502).
Regarding claim 19, Scruby in view of Khan discloses the method of claim 14, 			Scruby further discloses wherein the attestation of the authentication of the third SCP subsystem includes: a third public key associated with the third SCP subsystem; and third SCP subsystem communication connection information (see Khan par. 0072, At step 633, process 600 may include commercial entity subsystem 400 (e.g., HSM 402) generating an ephemeral key pair, such as an ephemeral public key ePK and an ephemeral private key eSK. Next, at step 634, process 600 may include commercial entity subsystem 400 sharing such a commercial entity ephemeral public key ePK with secure element 145 as ephemeral public key data 684 (e.g., via the initial secure channel setup at steps 630 and 632)).												Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	
Regarding claim 20, Scruby in view of Khan discloses the method of claim 14, 			Scruby further discloses receiving, by the first SCP subsystem from the third SCP subsystem, an attestation of an authentication of a fourth SCP subsystem (see Scruby par. 0120, In step 709, the server 730 may verify that the data received from device B 740 corresponds to the data sent to device A 720 (e.g., in step 703). For example, the server 730 may compare the received challenge code to the challenge code the server 730 previously generated. The server 730 may also verify the information identifying user A and/or device A 720. The server 730 may also verify that user B is part of the group of users that can attest to user A's identity. If the information is verified, server 730 may accept the attestation of user A by device B 740);  and, in response, establishing a third secure communication channel with the fourth SCP subsystem without the transmission of signed SCP authentication communications (see Khan par. 0069, At step 620 of process 600, processor 102 (e.g., AP 102a) may generate and transmit secure element authorization request data 670 to secure element 145. Such secure element authorization request data 670 may include any suitable data that may be received by secure element 145 for generating a secure element signature on at least a portion of such data. For example, such secure element authorization request data 670 may include an “Internal Auth” command with the encrypted Auth Keys of step 616 and/or HMAC_SEP computed at step 617 and/or ECID of step 617).	
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the teachings of Khan into the system of Scruby to include a controlling authority security domain key configured to sign and/or encrypt certain data on secure element before providing such data to another portion of device (e.g., communications component for sharing with other subsystems of system 1 (see Khan par. 0069).	




Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMUEL AMBAYE whose telephone number is (571)270-7635. The examiner can normally be reached M-F 9:00 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.                                                                                                                                                           /SAMUEL AMBAYE/                                                                                                                                           Examiner, Art Unit 2433           

/JEFFREY C PWU/               Supervisory Patent Examiner, Art Unit 2433