DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant's amendments filed on 10/12/2022 has been received and entered.  Currently Claims 21-40 are pending.

Response to Arguments
Applicant argues on pages 8-10 of applicant’s remarks that the cited references do not disclose “generating a self-signed root certificate signed by a root private key on a user device” as recited in claim 21.
The examiner respectfully disagrees.  Brown teaches a user device creating for itself a self-signed root certificate, where the root certificate is signed using a long term private key (e.g. root private key) ([0028], [0030], [0062]).  Therefore, Brown teaches limitations of the claim.

Applicant argues on pages 10-11 of applicant’s remarks that there is no motivation to combine Hayes with Brown.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  
Brown is directed to a device creating a self-signed root certificate, creating a derived intermediate certificate, and authenticating based on the certificates ([0030], [0037], [0041]).  In an analogous art, Hayes is directed to creating a derived certificate based on another certificate, and access protected resources based on authentication of the derived certificate (col 9 lines 25-28, col 11 lines 55-60, col 12 lines 1-12).  Hayes further teaches using a certificate chain to transmit user data where certificates comprises a username (col 9 lines 25-28, col 12 lines 40-50, col 12 lines 60-65).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown of creating a self-signed root certificate, creating a derived intermediate certificate, and authenticating based on the certificates with the teachings of Hayes to include transmitting the user data and retrieving the user data based on a certificate chain in order to authenticate the user based on the certificate chain and user data.  It would have also been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown of creating a self-signed root certificate, creating a derived intermediate certificate, and authenticating based on the certificates with the teachings of Hayes to include transmitting the user data and retrieving the user data based on a certificate chain because the results would have been predictable and resulted in certificates having user names and granting access to protected resources based on authentication of a certificate.

Applicant argues on page 11 of applicant’s remarks that it would not be obvious to combine Beloussov with the other references without the benefit of impermissible hindsight from the present invention.
In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).
Brown teaches generating a long-term private key on a user device ([0028]).  In an analogous art, Beloussov is directed to secure storage of private keys.  In particular, Beloussov teaches storing a private key at a secure remote storage location (col 8 lines 59-65, col 9 lines 12-25).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown with the teachings of Beloussov to include transmitting and storing private key to a secure remote location in order to provide a secure remote key storage for the root private key.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21, 23-26 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Brown at al. US2013/0145151 hereinafter referred to as Brown, in view of Nitschke US2017/0054566, Hayes et al. USPN9,736,145 hereinafter referred to as Hayes, and Beloussov et al. USPN11,184,335 hereinafter referred to as Beloussov.
As per claim 21, Brown teaches a method for authenticating a user to a verifying party computer over a network, comprising: generating a self-signed root certificate signed by a root private key on a user device (Brown paragraph [0028], [0030], [0062], generating a self signed root certificate using a root private key); 
generating an intermediate private key on the user device (Brown paragraph [0036], generating short term private key); 
signing an intermediate certificate with the root private key (Brown paragraph [0037], creating derived certificate using long term private key); 
storing the intermediate private key on the user device (Brown paragraph [0036], [0065], stored short term private key).
Brown does not explicitly disclose generating private key in a secure enclave;
storing private key in the secure enclave;
linking intermediate certificate to root certificate by way of signature to form a certificate chain, the certificate chain including a public key corresponding to intermediate private key; 
transmitting the certificate chain to verifying party computer over network.
Nitschke teaches generating private key in a secure enclave (Nitschke paragraph [0095], private key generated and stored in TPM);
storing private key in the secure enclave (Nitschke paragraph [0095], private key generated and stored in TPM);
linking intermediate certificate to root certificate by way of signature to form a certificate chain, the certificate chain including a public key corresponding to intermediate private key (Nitschke Fig. 2, paragraph [0101], [0104], certificate chain with root certificate and intermediate certificate); 
transmitting the certificate chain to verifying party computer over network (Nitschke paragraph [0106], transferring certificates to checking computer).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown with the teachings of Nitschke to include generating and storing a key in a TPM and transmitting a certificate chain in order to provide secure generation and storage of the private key and user verification based on the certificate chain.
Brown in view of Nitschke does not explicitly disclose receiving, as an input to user device, user identification data, including at least one of a user name, user address, user email, user phone number, user tax ID, user social security number and user financial account number; 
using a certificate chain as a credential to transmit user verification data to a verifying party computer; 
storing the certificate chain in association with the user identification data in a database by the verifying party computer; 
receiving, at the verifying party computer, a subsequent communication from the user device including the certificate chain; and 
accessing the database by the verifying party computer with the certificate chain to retrieve the user identification data.  
Hayes teaches receiving, as an input to user device, user identification data, including at least one of a user name, user address, user email, user phone number, user tax ID, user social security number and user financial account number (Hayes col 9 lines 5-10, col 12 lines 45-50, receiving input such as CN or user name); 
using a certificate chain as a credential to transmit user verification data to a verifying party computer (Hayes col 9 lines 25-28, col 12 lines 40-50, col 12 lines 60-65, certificate chain used as credential to transmit user data); 
storing the certificate chain in association with the user identification data in a database by the verifying party computer (Hayes col 9 lines 20-25, col 12 lines 45-50, certificate chain is stored in association with the CN or user name); 
receiving, at the verifying party computer, a subsequent communication from the user device including the certificate chain (Hayes col 9 lines 35-45, col 11 lines 55-60, col 12 lines 1-5, receiving subsequent communication including certificate chain); and 
accessing the database by the verifying party computer with the certificate chain to retrieve the user identification data (Hayes col 9 lines 40-50, col 12 lines 5-12, col 12 lines 37-50, accessing database with the certificate chain to retrieve CN or user name).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke of creating a self-signed root certificate, creating a derived intermediate certificate, and authenticating based on the certificates with the teachings of Hayes to include transmitting the user data and retrieving the user data based on a certificate chain in order to authenticate the user based on the certificate chain and user data.  It would have also been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke of creating a self-signed root certificate, creating a derived intermediate certificate, and authenticating based on the certificates with the teachings of Hayes to include transmitting the user data and retrieving the user data based on a certificate chain because the results would have been predictable and resulted in certificates having user names and granting access to protected resources based on authentication of certificates.
Brown in view of Nitschke and Hayes does not explicitly disclose storing private key externally to user device.
Beloussov teaches storing private key externally to user device (Beloussov col 8 lines 59-65, col 9 lines 12-25, transmit and store private key at remote storage location).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke and Hayes with the teachings of Beloussov to include transmitting and storing private key to a secure remote location in order to provide a secure remote key storage for the root private key.

As per claim 23, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 wherein the self-signed root certificate is an X.509 certificate suitable for use with TLS (Brown paragraph [0030]-[0031], [0052], certificate).  

As per claim 24, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 further comprising verifying, by the verifying computer, with TLS that the certificate chain belongs to the user device (Brown paragraph [0050], [0052], verifying certificate with TLS; Nitschke paragraph [0101], certificate chain; Hayes col 10 lines 8-26, validating certificate with TLS).  

As per claim 25, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 further comprising: storing, by the user device, the intermediate private key in a signing application in a memory of the user device (Brown paragraph [0036], [0062], [0065], storing short term private key; Nitschke paragraph [0102], signing certificate with private key).  

As per claim 26, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21 further comprising: storing, by the user device, the root private key in an external electronic device; and recovering the root private key from the external electronic device (Brown paragraph [0028], [0030], [0062], root private key; Beloussov col 8 lines 59-65, col 9 lines 12-25, col 12 lines 43-45, transmit and store private key at remote storage location.  recover private key from remote location).

As per claim 30, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21, wherein the step of storing the root private key externally to the user device further comprises: transmitting the root private key to a cloud-based credential recovery service server; and recovering the root private key from the cloud-based credential recovery service using at least one of a login, a password, or other user identifying information (Brown paragraph [0028], [0030], [0062], root private key; Beloussov col 8 lines 59-65, col 9 lines 12-25, col 12 lines 1-5, 20-36, 43-45, transmit and store private key at remote data center.  Authenticating user and recover private key from remote location).  

Claims 27-29 are rejected under 35 U.S.C. 103 as being unpatentable over Brown in view of Nitschke, Hayes, and Beloussov, and further in view of Patel et al. US2019/0230092 hereinafter referred to as Patel. 
As per claim 27, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21.
Brown in view of Nitschke, Hayes and Beloussov does not explicitly disclose wherein step of storing private key externally to user device further comprises encoding the private key as a visual code and printing the visual code, and further comprising: recovering the private key by scanning the visual code.  
Patel teaches wherein step of storing private key externally to user device further comprises encoding the private key as a visual code and printing the visual code, and further comprising: recovering the private key by scanning the visual code (Patel paragraph [0046], [0048]-[0049], [0052], [0056], private key is formatted as a QR code and printed on paper.  Scan QR code to recover private key).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke, Hayes and Beloussov with the teachings of Patel to include encoding and printing the private key in order to provide a hardcopy backup of the root private key.

As per claim 28, Brown in view of Nitschke, Hayes, Beloussov and Patel teaches the method of claim 27 wherein the visual code is a QR code (Patel paragraph [0046], [0048]-[0049], [0052], [0056], QR code).  

As per claim 29, Brown in view of Nitschke, Hayes and Beloussov teaches the method of claim 21, wherein the step of storing the root private key externally to the user device further comprises transferring the root private key to an external memory device (Brown paragraph [0028], [0030], [0062], root private key; Beloussov col 8 lines 59-65, col 9 lines 5-25, transmit and store private key at external device).
Brown in view of Nitschke, Hayes and Beloussov does not explicitly disclose further comprising: recovering root private key by communicatively coupling external memory device to user device.  
Patel teaches further comprising: recovering root private key by communicatively coupling external memory device to user device (Patel paragraph [0056], backing up private key to external storage such as a USB flash drive)(It would have been obvious to one of ordinary skill in the art that a user recovers the private key at a later point in time.  It would have been obvious to one of ordinary skill in the art that the USB flash drive is connected to the user device in order to recover/retrieve the back-up private key).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Brown in view of Nitschke, Hayes and Beloussov with the teachings of Patel to include storing/recovering private key in/from an external device such as USB drive in order to provide a backup copy of the root private key.

Allowable Subject Matter
Claim 22 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claims 31-40 are allowed.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/             Primary Examiner, Art Unit 2495