DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made under 35 USC 112.

Regarding claims rejected under 35 USC 112(b):
	Applicant’s amendment is considered to have overcome the rejections. Accordingly, the rejections have been withdrawn.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Independent claims 1, 7, and 17 each recite an endpoint having a first attachment to a network (e.g., “wherein, the processor, upon determining a first attachment to a network,” “an endpoint upon a first attachment to the network”) which is blocked from communicating on that network except for mutual authentication with a first service provider (e.g., “wherein the processor initially has all communications via the network blocked except for communications with the first service provider,” “wherein the endpoint is blocked from communicating on the network other than to perform the mutual authentication”). However, the situation where the service provider is anything other than the first hop on the network is unclear. Further, the attachment itself is unclear as to its meaning. 
At least FIG. 1 and [0073]-[0074] of the specification recite an initial attachment to a private network, but do not specify that it is done via the first service provider. As such, the initial network attachment may take place over network communications other than that with the first service provider. Further, these communications may be for purposes other than mutual authentication. 
As such, the specification does not appear to describe the endpoint both attaching and having all communications other than for mutual authentication with the first service provider being blocked.
The dependent claims do not rectify this issue and are likewise rejected.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-6 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Independent claim 1 recites “wherein the processor initially has all communications via the network blocked except for communications with the first service provider” in combination with “provides the signed certificate to the second service as a requirement to unblock the communications that were blocked; and reconfigures the system to communicate with the second service at the second address and wherein the communications via the network that were blocked are unblocked.” These limitations appear to be directly contradictory, since the first disallows communications other than to the first service provider, while the second recites providing information to an entity other than the first service provider. The second limitation also recites reconfiguring and unblocking communications after already communicating with the entity other than the first service provider (i.e., “provides the signed certificate”). An interpretation may be considered, where the system potentially has the first service provider provide the signed certificate to the second service. However, this is not positively recited. Further, the claim appears drawn to the “processor” of the joining device which receives “a second address of a second service and a signed certificate” such that the joining device is to provide the signed certificate to the second service.
As such, the claim is indefinite because it appears to recite contradictory language rendering its scope unclear. For purposes of examination, the indefinite claim language has been interpreted as finalizing a network connection procedure by further connecting to another server as part of the process to join the network. 
The dependent claims do not rectify the issues of independent claim 1 and are therefore likewise rejected. 

Claims 7-16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Independent claim 7 recites “wherein the endpoint is blocked from communicating on the network other than to perform the mutual authentication” in combination with the endpoint being provided with “a certificate and address that, when a node at the address authenticates the endpoint utilizing the certificate, unblocks the blocked communications on the network.” These limitations appear to be contradictory, since the endpoint is explicitly blocked from communications other than the mutual authentication while also “a node at the address authenticates the endpoint utilizing the certificate.” At minimum, it is not clear whether the node is within the network or not, where being within the network appears to be a direct contradiction of the earlier limitation.
As such, the claim is indefinite because it appears to either recite contradictory language rendering its scope unclear, or leave out essential details as to its implementation. For purposes of examination, the indefinite claim language has been interpreted as finalizing a network connection procedure by further connecting to another server as part of the process to join the network. 
The dependent claims do not rectify the issues of independent claim 7 and are therefore likewise rejected. 

Claims 17-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Independent claim 17 recites “wherein the processor initially has all communications via the network blocked except for an attempt to perform mutual authentication” in combination with “receiving a signed certificate obtained from a device enrollment service (DES),” wherein these limitations appear to directly contradict each other. For instance, the processor has network communications other than mutual authentication blocked while also communicating with the DES to receive a signed certificate. The DES communication does not appear to be part of the claimed “attempt to perform mutual authentication” and is further not positively recited as such.  
Therefore, the claim is indefinite because it appears to recite contradictory language rendering its scope unclear. For purposes of examination, the indefinite claim language has been interpreted as finalizing a network connection procedure by further connecting to another server as part of the process to join the network. 
The dependent claims do not rectify the issues of independent claim 17 and are therefore likewise rejected. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 5-10, and 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eldar (US 2009/0165099 A1) in view of Bower (US 2017/0357515 A1).

Regarding claim 1, Eldar discloses: A system, comprising:
a network interface;
Refer to at least network interface 159 in FIG. 1 of Eldar.
a data storage storing a self-signed certificate and a hash and wherein the data storage further comprises a non-volatile read-only portion;
Refer to at least FIG. 1 of Eldar with respect to memory 156 and NVRAM 157. Refer to at least [0012]-[0013] of Eldar with respect to read-only memory.
Refer to at least [0019] and [0030] of Eldar with respect to a stored self-signed certificate and a hash.
a processor;
Refer to at least hardware 150 in FIG. 1 of Eldar.
wherein, the processor, upon determining a first attachment to a network:
Refer to at least [0021] of Eldar with respect to zero-touch/one-touch provisioning.
accesses a first address [stored in memory by an OEM];
Refer to at least [0034] of Eldar with respect to the FQDN of a provisioning server being stored within a client device.
attempts to perform mutual authentication with a first service provided at the first address and wherein the processor initially has all communications via the network blocked except for communications with the service provider (interpreted as the client device not having keys for communication with the network—i.e., blocked by not having access via the respective key);
performs the mutual authentication with the first service provided at the first address comprising providing to the first service the self-signed certificate;
Refer to at least [0047]-[0049] of Eldar with respect to the client performing mutual authentication with the provisioning server via the self-signed certificate. 
upon successfully performing mutual authentication with the first service, receives from the first service a signed certificate;
reconfigures the system to communicate with [the network];
Refer to at least [0055] of Eldar with respect to the provisioning server providing configuration data such as a certificate, private keys, and credentials. 
	Eldar does not fully disclose: hardcoded within the non-volatile read-only portion of the data storage; receives from the first service a second address of a second service; provides the signed certificate to the second service as a requirement to unblock the communications that were blocked; and reconfigures the system to communicate with the second service at the second address and wherein the communications via the network that were blocked are unblocked. However, Eldar in view of Bower discloses: hardcoded within the non-volatile read-only portion of the data storage; 
Refer to at least [0017], [0022], [0024], and [0028] of Bower with respect to a first address of a first server being hardcoded into memory such as a read-only memory.
receives from the first service a second address of a second service; provides the signed certificate (i.e., the certificate which is loaded as configuration information in [0055] of Eldar) to the second service as a requirement to unblock the communications that were blocked; and reconfigures the system to communicate with the second service at the second address and wherein the communications via the network that were blocked are unblocked (as per the 35 USC 112(b) rejection, these claim limitations have been interpreted as finalizing a connection process).
Refer to at least the abstract, FIG. 1-2, [0015]-[0016], and [0027]-[0028] of Bower with respect to a multi-stage bootloader, where each stage requires connection with a server based on information obtained from the previous stage. 
The teachings of Eldar and Bower both concern initializing a client device, and are considered to be within the same field of endeavor and combinable as such. Further, both Eldar and Bower concern firmware. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Eldar to further include a multiple stage provisioning with use of additional servers for at least the purposes of automation and efficiency (i.e., a client device is automatically set up to connect to a network, while specialized servers perform each stage of setup). It further would have been obvious to implement a hardcoded provisioning server address because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., how the address is added by the OEM).

Regarding claim 5, it is rejected for substantially the same reasons as claim 1 above (i.e., an x.509 certificate as per the Eldar disclosure, having address information).
	
Regarding claim 6, Eldar-Bower discloses: The system of claim 1, wherein the processor, following successfully mutual authentication, establishes a secure channel with the first service to receive the signed certificate.
Refer to at least [0044] and [0053] of Eldar with respect to a secure channel.
 
Regarding independent claim 7, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected (i.e., see the citations and obviousness rationale).

Regarding claim 8, Eldar-Bower discloses: The system of claim 7, further comprising generating the certificate signed by the system utilizing a public key of the system.
Refer to at least [0044] of Eldar with respect to generating a certificate with an associated public and private key. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Eldar-Bower to further include generating x.509 certificates via private and public key pairs because all of the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time (i.e., as per the process for creating x.509 certificates).

Regarding claim 9, Eldar-Bower discloses: The system of claim 7, wherein processor receives a unique identifier of the endpoint from a manufacture of the endpoint.
Refer to at least [0027] of Bower with respect to serial numbers, part numbers, and other information of the client device.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Eldar-Bower to further include obtaining a unique identifier of the client device for at least the purpose of securing against counterfeit devices.

Regarding claim 10, it is rejected for substantially the same reasons as claim 9 above.

Regarding independent claim 17, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected (i.e., see the citations and obviousness rationale).

Regarding claim 18, it is rejected for substantially the same reasons as claim 17 above (e.g., FIG. 1 of Eldar).

Claim 2 and 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eldar-Bower as applied to claims 1, 5-10, and 17-18 above, and further in view of Pellikka (US 2014/0013108 A1).

Regarding claim 2, Eldar-Bower does not specify: wherein the processor further provides the second service with the signed certificate to be authenticated by the second service. However, Eldar-Bower  in view of Pellikka discloses: wherein the processor further provides the second service with the signed certificate to be authenticated by the second service.
Refer to at least [0076] and [0081] of Pellikka with respect to a client using its obtained certificate to connect to network services. 
The teachings of Eldar-Bower and Pellikka concern certificates for obtaining network services, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Eldar-Bower  to include support for providing the certificate to desired services for at least the purpose of allowing services to specify clients as per at least [0058] and [0068] of Pellikka; to allow for greater privacy as per at least [0067] and [0003] of Pellikka.

Regarding claim 13, Eldar-Bower-Pellikka discloses: The system of claim 7, wherein the data storage maintains a record identifying a service provider with a customer.
Refer to at least [0058], [0068], [0070]-[0072], and [0075] of Pellikka with respect to client and service associations. 
This claim would have been obvious for substantially the same reasons as claim 2 above.

Regarding claim 14, Eldar-Bower-Pellikka discloses: The system of claim 13, wherein the record is updated upon receiving, from the service provider, a request to associate a third party with the service provider.
Refer to at least [0072] and [0075] of Pellikka with respect to services having client/device associations, including ACLs and blacklists; providing the associations to the VCI. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Eldar-Bower  to include support for ACLs and blacklists for at least the purpose of security from malicious clients and/or services.

Regarding claim 15, it is rejected for substantially the same reasons as claim 14 above (i.e., at least [0072] and [0075] of Pellikka with respect to clients).

Claims 3-4, 11-12, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eldar-Bower  as applied to claims 1, 5-10, and 17-18 above, and further in view of Azema (US 2004/0025010 A1).

Regarding claim 3, Eldar-Bower discloses: the processor, upon receiving a request to generate the self-signed certificate, generates the self-signed certificate; 
Refer to at least [0044] of Eldar with respect to generating the self-signed certificate.
	While Eldar-Bower discloses generating hashes (e.g., [0051] of Eldar), it does not specify: and a hash of the self-signed certificate and provides the hash to the first service. However, Eldar-Bower  in view of Azema discloses: and a hash of the self-signed certificate and provides the hash to the first service.
Refer to at least [0054], [0060], and [0066] of Azema with respect to hashing the a certificate. 
The teachings of Eldar-Bower concern certificate verification and mutual authentication and, as such, are considered to be combinable with those of Azema. 	
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Eldar-Bower  to include hashing and verification associated with the client certificate because all of the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time (i.e., mutual authentication via certificate and hash value, as per the cited portions).

Regarding claim 4, it is rejected for substantially the same reasons as claims 1 and 3 above (e.g., at least [0054], [0060], and [0066] of Azema with respect the certificate hash and associated verification).

Regarding claims 11-12, they are rejected for substantially the same reasons as elements of claims 3-4 above.

Regarding claim 19, it is rejected for substantially the same reasons as elements of claims 3-4 above.

Claims 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eldar-Bower-Pellikka as applied to claims 2 and 13-15 above, and further in view of Caldwell (US 2017/0142191 A1).

Regarding claim 16, Eldar-Bower-Pellikka does not disclose all aspects of: further comprising: receiving a request to from a reseller to update a record that associate an endpoint with a service provider for a customer; and upon determining that the data storage maintains a record granting permission for the update, performing the update. However, Eldar-Bower-Pellikka in view of Caldwell discloses: further comprising: receiving a request to from a reseller to update a record that associate an endpoint with a service provider for a customer; and upon determining that the data storage maintains a record granting permission for the update, performing the update.
Refer to at least [0087] of Caldwell with respect to updating credentials and service associations.
The teachings of Eldar-Bower-Pellikka and Caldwell concern network authentication, and are considered to be combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Eldar-Bower-Pellikka to include third party updates because all of the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time of the invention.

Claims 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eldar-Bowe as applied to claims 1, 5-10, and 17-18 above, and further in view of Pellikka (US 2014/0013108 A1) and Caldwell (US 2017/0142191 A1).

Regarding claim 20, it is rejected for substantially the same reasons as claim 16 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

US 10,797,888 B1 (Natarajan):	Refer to at least the abstract and Col. 10, Ll. 4-63 of the reference with respect to a mobile computing device enrolment request, wherein the mobile device obtains a signed certificate from an SCEP enrolment server. The mobile device makes use of the certificate for connecting to application servers on the network.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432