DETAILED ACTION
Responsive to the Applicant reply filed on 08/08/2022, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in following.
Claims 1-3 and 5-19 are pending
Claims 1-3 and 5-19 are rejected under 35 USC § 103

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendment filed 08/08/2022 has been entered. 
Claims 1, 3, 5, 6 and 19 have been amended. 
Claim 4 is canceled.
Applicant’s amendment to claim 3 overcome the objection and 112(b) rejection previously set forth in the Non-final Office Action mailed 06/07/2022. Therefore the objection and 112(b) rejection previously set forth are withdrawn.

Response to Arguments
Applicant’s arguments, see Remarks, filed 08/08/2022, with respect to the rejections of claim 1 under 35 USC § 103 have been fully considered. Independent claims 1 and 19 have been amended to include the subject matter of canceled claim 4. However, upon further consideration, a new ground(s) of rejection is made in view of in view of Fosmark et al. (US 10592872 B2 hereinafter “Fosmark”) and in view of Thakore et al. (US 10911435 B2 hereinafter “Thakore”). 
In response to the arguments regarding teachings of Forsmark, pp. 10 ln. 10-pp.11 ln. 19, with respect to the “hello message”, Examiner asserts that the instant application states, in para. 0314 , “The hello message includes a random number”. Fosmark teaches, col. 7 ln. 55-56, “The mobile device 112 [analogous to “second processing circuitry” cured by Hyun] sends a response message 230 to the trusted third party data processing system 106. The response message 230 may include the random unique registration code [“hello message including a random number” as claimed] from the message 215 and the signature of the mobile device 112.” Further, Thakore, the prior art which was previously considered for claim 5 and 6, explicitly teaches and cures the “hello message” in col. 6 ln. 36-38. For such reasons, the argument is not persuasive. Please refer to the 35 U.S.C. § 103 section below for the detailed rejection.
In addition to arguments above, although the applicant does not argue regarding newly added features, in amended claim 1, of “first processing circuitry, at the another organization, configured to accept a registration transaction for a client certificate of the first user; second processing circuitry, at the another organization, configured to authenticate the first user”, Examiner asserts a new understanding of the limitations where the first and second processing circuitry are located at the same another organization. Thus, Hyun teaching, operations S130-S140 in Figs. 8B, is newly considered for the second processing circuitry as claimed instead of “operations S120-S128” in Fig. 8b in the previous Non-final rejection. Please refer to the 35 U.S.C. § 103 section below for the detailed rejection.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 6, 8, 9, 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over HYUN et al. (US 20180294966 A1 hereinafter “Hyun”) in view of UHR et al. (US 20190306147 A1 hereinafter “Uhr_6147”) in view of Fosmark et al. (US 10592872 B2 hereinafter “Fosmark”) and further in view of Thakore et al. (US 10911435 B2 hereinafter “Thakore”).
Regarding claim 1, (Currently Amended) Hyun discloses an authentication system for providing authentication federation among a plurality of service providing organizations including a first organization that a first user belongs to and another organization which provides a service, the authentication system comprising (Fig. 8A-8C): 
wherein first processing circuitry, at the another organization, configured to accept a registration transaction for a [[client certificate]] of the first user ([0053-0054] A digital identity management device [“another organization”] receives a subscription request from a service request device (operation S100). The subscription request may include identity identification information and data of authentication information [analogous to “client certificate” cured by Uhr_6147 below]), and
second processing circuitry, at the another organization, configured to authenticate the first user, when the first user accesses a service of said another organization from a user terminal of the first organization ([0065-0068] When the user terminal requests the second service server to authenticate the user of the user terminal using a digital identity (operation S122 [“first user accesses a service of said another organization”]), the second service server requests the user terminal to provide authentication information of a predetermined type or authentication information of a type appropriate to the situation (operation S124). The user terminal receives authentication information of the requested type (operation S126) and transmits the received authentication information to the second service server (operation S128). The second service server transmits an authentication request  including data about the authentication information [analogous to “client certificate” cured by Uhr_6147 below] to the digital identity management device (operation S130). The digital identity management device performs a third process (See details in operations S134-S140 in para. 0068 “configured to authenticate the first user”) for providing identity identification information corresponding to the generated hash value of the authentication information to the second service server), by
verifying the received signature message using the [[client certificate]] of the first user in the client certificate blockchain ([0069] If the authentication information included in the received authentication request is not found in the blockchain, an authentication failure notification is transmitted to the user terminal sequentially via the blockchain network, the digital identity management device, and the second service server (operations S138, S138 a, and S138 b [“verifying the received signature message using the client certificate”]). Operations S142-S152 states when the authentication information included in the received authentication request is found in the blockchain (See details in para. 0071-0074)).
Although Hyun teaches, in para. 0054, “The first process includes transmitting a request for the storage of the identity identification information from the digital identity management device to a blockchain network (operation S102)”, it does not explicitly teach “first processing circuitry, at the another organization, configured to accept a registration transaction for a client certificate of the first user, and to register the client certificate of the first user in a client certificate blockchain when the registration transaction for the client certificate of the first user is accepted.”
In a same field of endeavor, Uhr_6147 discloses the authentication system, register the client certificate of the first user in a client certificate blockchain when the registration transaction for the client certificate of the first user is accepted ([0013] if the first signature value is determined as valid, a process of registering or supporting another device connected with the first authentication-supporting server to register the first user certificate in the first blockchain network, wherein the first user certificate includes a first public key of the first PKI certificate and first registration information thereon).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun with the teachings of Uhr_6147 to include first processing circuitry, at the another organization,  which configured to accept a registration transaction for a client certificate of the first user, and register the client certificate of the first user in a client certificate blockchain when the registration transaction for the client certificate of the first user is accepted. One of ordinary skill in the art would have been motivated to make this modification because it may allow providing a Single Sign On (SSO) based on blockchain network technology to efficiently protect authentication information on users from external attacks and preventing forgery by applying a hash function and encryption to user certificates (para. 0010-0011).
The combination of Hyun and Uhr_6147 not explicitly teach, but Fosmark, which is a same field of endeavor, discloses the authentication system, wherein by sending a [[hello message]] to the first organization system (col. 7 ln. 55-56, The mobile device 112 [“second processing circuitry”] sends a response message 230 [“hello message”] to the trusted third party data processing system 106 [“first organization system”]. For example, the response message 230 may include the random unique registration code [“hello message”] from the message 215 and the signature of the mobile device 112), 

Examiner’s note: The instant application states, in para.0314 , “The hello message includes a random number”. Thus, Examiner concludes that the response message 230 is analogous to the hello message as claimed that is also cured by Thakore below. 

receiving a signature message corresponding to the [[hello message]] from the first organization system (col. 8 ln. 29-54, The trusted third party data processing system 106 forwards the message 240 to the mobile device 112 and may include a signature of the trusted third party data processing system 106 in the forwarded message 245 [“signature message corresponding to the hello message”]. Upon receipt, the mobile device 112 may check the validity of the security certificate [“client certificate of the first user”]), and 
deciding, if the signature message is correct, that the first user is a legitimate user (col. 8 ln. 29-54, The entity data processing system 104 compares the second code against what was sent and, if the codes match, sends a success message 260 to the trusted third party data processing system 106. The trusted third party data processing system 106 then may send a success message 265 to the mobile device 112).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 with the teachings of Fosmark to include second processing circuitry by sending a [[hello message]] to the first organization system, receiving a signature message corresponding to the hello message from the first organization system, deciding, if the signature message is correct, that the first user is a legitimate user. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Fosmark teaches the response message 230 as stated above, it does not explicitly teach “hello message”.
In a same field of endeavor, Thakore discloses sending a hello message (col. 6 ln. 33-35, The TLS client 40 and the TLS server 42 may then exchange ClientHello and ServerHello messages 64 as defined in the TLS RFCs).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Fosmark with the teachings of Thakore to include the hello message. One of ordinary skill in the art would have been motivated to make this modification because the hello message may be characterized used to confirm that both parties support certain authorization data (col. 6 ln. 36-38).

Regarding claim 5, (Currently Amended) the combination of Hyun, Uhr_6147, Fosmark and Thakore teaches all elements of the current invention as stated in claim 4 above. Fosmark further discloses the authentication system according to claim 4, wherein the second processing circuitry receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct (col. 10 ln. 27-40, Upon receipt of the message 330 [“signature message”], the mobile device 112 may decrypt the message, verify the signature using the public key of the entity data processing system 104 and display 335 a request for a user input to verify that the user is the authorized user of the device (e.g., PIN, password, biometric input, gesture, motion, etc.). In an alternative embodiment, the mobile device 112 may verify the signature of the message 330 using the public key of the trusted third party data processing system 106).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Thakore with the teachings of Fosmark to include the second processing circuitry that receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Hyun teaches “service request device, first/second service server and digital identity management device” for processing authentication information, see Fig. 8A, the combination does not teach “the first organization system comprises an authentication device of the first organization, wherein the authentication device of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message.”
In a same field of endeavor, Thakore discloses the authentication system according to claim 1, wherein the first organization system comprises an authentication device of the first organization, wherein the authentication device of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message (col. 7 ln.55-59, The client SD 76 may be generated by concatenating the RandomNonce with the client DTCP certificate and thereafter encrypting the concatenation [“encrypted hello message”] with the private key assigned to the client).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Fosmark with the teachings of Thakore to include an authentication device of the first organization that comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message. One of ordinary skill in the art would have been motivated to make this modification because authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information (Abs.).

Regarding claim 6, (Currently Amended) the combination of Hyun, Uhr_6147, Fosmark and Thakore teaches all elements of the current invention as stated in claim 1 above. Fosmark further discloses the authentication system according to claim 1, wherein the second processing circuitry receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct (col. 10 ln. 27-40, Upon receipt of the message 330 [“signature message”], the mobile device 112 may decrypt the message, verify the signature using the public key of the entity data processing system 104 and display 335 a request for a user input to verify that the user is the authorized user of the device (e.g., PIN, password, biometric input, gesture, motion, etc.). In an alternative embodiment, the mobile device 112 may verify the signature of the message 330 using the public key of the trusted third party data processing system 106).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Thakore with the teachings of Fosmark to include the second processing circuitry that receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Hyun teaches “service request device, first/second service server and digital identity management device” for processing authentication information, see Fig. 8A, the combination does not teach “the first organization system comprises the user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message.”
In a same field of endeavor, Thakore discloses the authentication system according to claim 1, wherein the first organization system comprises the user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message (col. 7 ln.55-59, The client SD 76 may be generated by concatenating the RandomNonce with the client DTCP certificate and thereafter encrypting the concatenation [“encrypted hello message”] with the private key assigned to the client).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Fosmark with the teachings of Thakore to include a user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message. One of ordinary skill in the art would have been motivated to make this modification because authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information (Abs.).

Regarding claim 8, (Original) the combination of Hyun, Uhr_6147 and Thakore teaches all elements of the current invention as stated in claim 8 above. Fosmark further discloses the authentication system according to claim 1, wherein when the first user accesses the service of said another organization from the user terminal of the first organization, the second processing circuitry sends a hello message to a first organization system, receives a signature message corresponding to the hello message from the first organization system, verifies the signature message using the client certificate of the first user, and if the signature message is correct, decides that the first user is a legitimate user (col. 7 ln. 55-56, The mobile device 112 [“second processing circuitry”] sends a response message 230 [“hello message”] to the trusted third party data processing system 106 [“first organization system”]; col. 8 ln. 29-54, The trusted third party data processing system 106 forwards the message 240 to the mobile device 112 and may include a signature of the trusted third party data processing system 106 in the forwarded message 245 [“signature message”]. Upon receipt, the mobile device 112 may perform one or more of the following actions. The mobile device 112 may identify the signature of the trusted third party data processing system 106, … , check the signature of the entity data processing system 104, check the validity of the security certificate [“client certificate of the first user”]. The user data processing system 110 sends the entered second code to the entity data processing system 104 in a message 255. The entity data processing system 104 compares the second code against what was sent and, if the codes match, sends a success message 260 to the trusted third party data processing system 106. The trusted third party data processing system 106 then may send a success message 265 to the mobile device 112).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Thakore with the teachings of Fosmark to include a second processing circuitry that sends a hello message to a first organization system, receives a signature message corresponding to the hello message from the first organization system, verifies the signature message using the client certificate of the first user, and if the signature message is correct, decides that the first user is a legitimate user. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).

Regarding claim 9, (Original) the combination of Hyun, Uhr_6147, Fosmark and Thakore teaches all elements of the current invention as stated in claim 8 above. Fosmark further discloses the authentication system according to claim 8, wherein the second processing circuitry receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct (col. 10 ln. 27-40, Upon receipt of the message 330 [“signature message”], the mobile device 112 may decrypt the message, verify the signature using the public key of the entity data processing system 104 and display 335 a request for a user input to verify that the user is the authorized user of the device (e.g., PIN, password, biometric input, gesture, motion, etc.). In an alternative embodiment, the mobile device 112 may verify the signature of the message 330 using the public key of the trusted third party data processing system 106).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Thakore with the teachings of Fosmark to include a second processing circuitry that receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Hyun teaches “service request device, first/second service server and digital identity management device” for processing authentication information, see Fig. 8A, the combination does not teach “first organization system comprises an authentication device of the first organization, wherein the authentication device of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message.”
In a same field of endeavor, Thakore discloses the authentication system according to claim 8, wherein the first organization system comprises an authentication device of the first organization, wherein the authentication device of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message (col. 7 ln.55-59, The client SD 76 may be generated by concatenating the RandomNonce with the client DTCP certificate and thereafter encrypting the concatenation [“encrypted hello message”] with the private key assigned to the client).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Fosmark with the teachings of Thakore to include an authentication device of the first organization comprising processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message. One of ordinary skill in the art would have been motivated to make this modification because authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information (Abs.).

Regarding claim 10, the combination of Hyun, Uhr_6147, Fosmark and Thakore teaches all elements of the current invention as stated in claim 8 above. Fosmark further discloses the authentication system according to claim 8, wherein the second processing circuitry receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct (col. 10 ln. 27-40, Upon receipt of the message 330 [“signature message”], the mobile device 112 may decrypt the message, verify the signature using the public key of the entity data processing system 104 and display 335 a request for a user input to verify that the user is the authorized user of the device (e.g., PIN, password, biometric input, gesture, motion, etc.). In an alternative embodiment, the mobile device 112 may verify the signature of the message 330 using the public key of the trusted third party data processing system 106).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Thakore with the teachings of Fosmark to include a second processing circuitry that receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Hyun teaches “service request device, first/second service server and digital identity management device” for processing authentication information, see Fig. 8A, the combination does not teach “first organization system comprises the user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message.”
In a same field of endeavor, Thakore discloses the authentication system according to claim 8, wherein the first organization system comprises the user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message (col. 7 ln.55-59, The client SD 76 may be generated by concatenating the RandomNonce with the client DTCP certificate and thereafter encrypting the concatenation [“encrypted hello message”] with the private key assigned to the client).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Fosmark with the teachings of Thakore to include a user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message. One of ordinary skill in the art would have been motivated to make this modification because authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information (Abs.).

Regarding claim 19, (Currently Amended) Hyun discloses a non-transitory computer readable medium storing an authentication program for an authentication system for providing authentication federation among a plurality of service providing organizations including a first organization that a first user belongs to and an another organization which provides a service, the authentication program causing a computer to execute (Fig. 8A-8C): 
a transaction accepting process of accepting a registration transaction for a [[client certificate]] of the first user ([0053-0054] A digital identity management device [“another organization”] receives a subscription request from a service request device (operation S100). The subscription request may include identity identification information and data of authentication information [analogous to “client certificate” cured by Uhr_6147 below]); 
an authentication process of authenticating the first user, when the first user accesses a service of said another organization from a user terminal of the first organization ([0065-0068] When the user terminal requests the second service server to authenticate the user of the user terminal using a digital identity (operation S122 [“first user accesses a service of said another organization”]), the second service server requests the user terminal to provide authentication information of a predetermined type or authentication information of a type appropriate to the situation (operation S124). The user terminal receives authentication information of the requested type (operation S126) and transmits the received authentication information to the second service server (operation S128). The second service server transmits an authentication request  including data about the authentication information [analogous to “client certificate” cured by Uhr_6147 below] to the digital identity management device (operation S130). The digital identity management device performs a third process (See details in operations S134-S140 in para. 0068 “configured to authenticate the first user”) for providing identity identification information corresponding to the generated hash value of the authentication information to the second service server), by 
verifying the received signature message using the client certificate of the first user in the client certificate blockchain ([0069] If the authentication information included in the received authentication request is not found in the blockchain, an authentication failure notification is transmitted to the user terminal sequentially via the blockchain network, the digital identity management device, and the second service server (operations S138, S138 a, and S138 b [“verifying the received signature message using the client certificate”]). Operations S142-S152 states when the authentication information included in the received authentication request is found in the blockchain (See details in para. 0071-0074)).
Although Hyun teaches, in para. 0054, “The first process includes transmitting a request for the storage of the identity identification information from the digital identity management device to a blockchain network (operation S102)”, it does not explicitly teach “a blockchain management process of registering the client certificate of the first user in a client certificate blockchain when the registration transaction for the client certificate of the first user is accepted.”
In a same field of endeavor, Uhr_6147 discloses the non-transitory computer readable medium storing an authentication program for an authentication system, wherein a blockchain management process of registering the client certificate of the first user in a client certificate blockchain when the registration transaction for the client certificate of the first user is accepted [0013] if the first signature value is determined as valid, a process of registering or supporting another device connected with the first authentication-supporting server to register the first user certificate in the first blockchain network, wherein the first user certificate includes a first public key of the first PKI certificate and first registration information thereon).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun with the teachings of Uhr_6147 to include the concept of “a blockchain management process of registering the client certificate of the first user in a client certificate”. One of ordinary skill in the art would have been motivated to make this modification because it may allow providing a Single Sign On (SSO) based on blockchain network technology to efficiently protect authentication information on users from external attacks and preventing forgery by applying a hash function and encryption to user certificates (para. 0010-0011). 
The combination of Hyun and Uhr_6147 not explicitly teach, but Fosmark, which is a same field of endeavor, discloses non-transitory computer readable medium storing an authentication program for an authentication system, wherein by sending a hello message to the first organization system (col. 7 ln. 55-56, The mobile device 112 [“second processing circuitry”] sends a response message 230 [“hello message”] to the trusted third party data processing system 106 [“first organization system”]. For example, the response message 230 may include the random unique registration code [“hello message”] from the message 215 and the signature of the mobile device 112), 

Examiner’s note: The instant application states, in para.0314 , “The hello message includes a random number”. Thus, Examiner concludes that the response message 230 is analogous to the hello message as claimed that is also cured by Thakore below. 

receiving a signature message corresponding to the [[hello message]] from the first organization system (col. 8 ln. 29-54, The trusted third party data processing system 106 forwards the message 240 to the mobile device 112 and may include a signature of the trusted third party data processing system 106 in the forwarded message 245 [“signature message corresponding to the hello message”]. Upon receipt, the mobile device 112 may check the validity of the security certificate [“client certificate of the first user”]), and 
deciding, if the signature message is correct, that the first user is a legitimate user (col. 8 ln. 29-54, The entity data processing system 104 compares the second code against what was sent and, if the codes match, sends a success message 260 to the trusted third party data processing system 106. The trusted third party data processing system 106 then may send a success message 265 to the mobile device 112).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 with the teachings of Fosmark to include a concept of “receiving a signature message corresponding to the [[hello message]] from the first organization system; deciding, if the signature message is correct, that the first user is a legitimate user”. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Fosmark teaches the response message 230 as stated above, it does not explicitly teach “hello message”.
In a same field of endeavor, Thakore discloses sending a hello message (col. 6 ln. 33-35, The TLS client 40 and the TLS server 42 may then exchange ClientHello and ServerHello messages 64 as defined in the TLS RFCs).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147 and Fosmark with the teachings of Thakore to include the hello message. One of ordinary skill in the art would have been motivated to make this modification because the hello message may be characterized used to confirm that both parties support certain authorization data (col. 6 ln. 36-38).


Claims 2 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over HYUN et al. (US 20180294966 A1 hereinafter “Hyun”) in view of UHR et al. (US 20190306147 A1 hereinafter “Uhr_6147”) in view of Fosmark et al. (US 10592872 B2 hereinafter “Fosmark”) and further in view of Thakore et al. (US 10911435 B2 hereinafter “Thakore”) as applied to claim 1 above, and further in view of Zheng (US 20190238311 A1) and in view of Uhr et al. (US 20180294977 A1 hereinafter “Uhr_4977”).
Regarding claim 2, (Original) the combination of Hyun, Uhr_6147, Fosmark and Thakore teaches all elements of the current invention as stated in claim 1 above. Hyun discloses the authentication system according to claim 1, wherein when the first user accesses the service of said another organization from the user terminal of the first organization ([Hyun: 0065] a user terminal transmits a digital identity subscription request to the first service server (operation S90), and the first service server requests the user terminal to provide customer information (operation S92)).
However, Hyun does not teaches “the first processing circuitry checks whether the client certificate of the first user is registered in the revocation list blockchain, and wherein if the client certificate of the first user is not registered in the revocation list blockchain, the second processing circuitry authenticates the first user using the client certificate of the first user.” 
Uhr_6147, which is a same field of endeavor, discloses the authentication system, wherein the first processing circuitry checks whether the client certificate of the first user is registered in the [[revocation list]] blockchain, and wherein if the client certificate of the first user is not registered in the [[revocation list]] blockchain, the second processing circuitry authenticates the first user using the client certificate of the first user ([Uhr_6147: 0027] (II) the first authentication-supporting server performing, if it is confirmed that the specific user certificate is not registered in the specific blockchain network, (II-1) a process of supporting at least one second authentication-supporting server, among respective second authentication-supporting servers corresponding to the respective service servers, to check or to allow another device connected with the second authentication-supporting server to check an SSO session [“client certificate of the first user”, in para. 0011, SSO assuring information security and preventing forgery by applying a hash function and encryption to user certificates] from at least one certain blockchain network connected with the second authentication-supporting server, by transmitting a request for confirming whether there is the SSO session to the second authentication-supporting server, and (II-2) if information on checking the SSO session is acquired from the second authentication-supporting server, a process of allowing use of a specific service provided by the specific service server through the specific app of the user device by supporting the specific service server or the specific app of the user device to associate with the SSO session).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Fosmark and Thakore with the teachings of Uhr_6147 to include the first processing circuitry that checks whether the client certificate of the first user is registered in the revocation list blockchain, and wherein if the client certificate of the first user is not registered in the revocation list blockchain, the second processing circuitry authenticates the first user using the client certificate of the first user. One of ordinary skill in the art would have been motivated to make this modification because it may allow providing a Single Sign On (SSO) based on blockchain network technology to efficiently protect authentication information on users from external attacks and preventing forgery by applying a hash function and encryption to user certificates (para. 0010-0011).
Although Uhr_6147 teach, in para. 0028, “a specific SSO session corresponding to a log in/out state of the specific app of the user device to/of the specific service server in the specific blockchain network”, the combination does not explicitly teach “wherein when the first user logs out, the first processing circuitry accepts a revocation transaction for the client certificate of the first user, wherein when the revocation transaction for the client certificate of the first user is accepted, the first processing circuitry registers the client certificate of the first user in an revocation list blockchain.”
In a same field of endeavor, Zheng discloses the system, wherein when the first user logs out, the first processing circuitry accepts a revocation transaction for the client certificate of the first user ([0130-0132] the regulatory terminal 102 will verify the validity status of the signature certificate through an OCSP or Certificate Revocation List (CRL) service of the CA institution 112 to regulate the transaction process. The CA institution 112 may further provide an update service for the signature certificate. The regulatory terminal  is equivalent to an administrator of blockchain system, which may affect registration and sign-out of users, registration and sign-out of institutions), 
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark and Thakore with the teachings of Zheng to include the first processing circuitry that accepts a revocation transaction for the client certificate of the first user when the first user logs out. One of ordinary skill in the art would have been motivated to make this modification because user sign-out and update may be carried out periodically, and user information after sign-out will be removed from the current status tree, thus improving the long-term availability of the system (para. 0136).
However, Zheng does not explicitly teach “when the revocation transaction for the client certificate of the first user is accepted, the first processing circuitry registers the client certificate of the first user in an revocation list blockchain.”
In a same field of endeavor, Uhr_4977 discloses the first processing circuitry, wherein when the revocation transaction for the client certificate of the first user is accepted, the first processing circuitry registers the client certificate of the first user in an revocation list blockchain ([0156] if said one of the conditions is met, the certificate-managing server 300 may allow the node hash information of the specific user who requested the revocation to be included in the Merkle tree corresponding to the root hash value for registration which is also included in the transaction information for monitoring forgery transmitted to and registered in the blockchain nodes 400 [“registers the client certificate of the first user in an revocation list blockchain”], to thereby guide the user to confirm the revocation of the public certificate of the user).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark, Thakore and Zheng with the teachings of Uhr_4977 to include the first processing circuitry that registers the client certificate of the first user in an revocation list blockchain when the revocation transaction for the client certificate of the first user is accepted. One of ordinary skill in the art would have been motivated to make this modification because a user may be allowed to confirm the revocation of the public certificate of the user (para. 0199).

Regarding claim 14, the combination of Hyun, Uhr_6147, Fosmark, Thakore, Zheng and Uhr_4977 teaches all elements of the current invention as stated in claim 2 above. Fosmark further discloses the authentication system according to claim 2, wherein when the first user accesses the service of said another organization from the user terminal of the first organization, the second processing circuitry sends a hello message to a first organization system, receives a signature message corresponding to the hello message from the first organization system, verifies the signature message using the client certificate of the first user, and if the signature message is correct, decides that the first user is a legitimate user (col. 7 ln. 55-56, The mobile device 112 [“second processing circuitry”] sends a response message 230 [“hello message”] to the trusted third party data processing system 106 [“first organization system”]; col. 8 ln. 29-54, The trusted third party data processing system 106 forwards the message 240 to the mobile device 112 and may include a signature of the trusted third party data processing system 106 in the forwarded message 245 [“signature message”]. Upon receipt, the mobile device 112 may perform one or more of the following actions. The mobile device 112 may identify the signature of the trusted third party data processing system 106, … , check the signature of the entity data processing system 104, check the validity of the security certificate [“client certificate of the first user”]. The user data processing system 110 sends the entered second code to the entity data processing system 104 in a message 255. The entity data processing system 104 compares the second code against what was sent and, if the codes match, sends a success message 260 to the trusted third party data processing system 106. The trusted third party data processing system 106 then may send a success message 265 to the mobile device 112).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Thakore, Zheng and Uhr_4977 with the teachings of Fosmark to include a second processing circuitry that sends a hello message to a first organization system when the first user accesses the service of said another organization from the user terminal of the first organization, receives a signature message corresponding to the hello message from the first organization system, verifies the signature message using the client certificate of the first user, and if the signature message is correct, decides that the first user is a legitimate user. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).

Regarding claim 15, the combination of Hyun, Uhr_6147, Fosmark, Thakore, Zheng and Uhr_4977 teaches all elements of the current invention as stated in claim 14 above. Fosmark further discloses the authentication system according to claim 14, wherein the second processing circuitry receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct (col. 10 ln. 27-40, Upon receipt of the message 330 [“signature message”], the mobile device 112 may decrypt the message, verify the signature using the public key of the entity data processing system 104 and display 335 a request for a user input to verify that the user is the authorized user of the device (e.g., PIN, password, biometric input, gesture, motion, etc.). In an alternative embodiment, the mobile device 112 may verify the signature of the message 330 using the public key of the trusted third party data processing system 106).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Thakore, Zheng and Uhr_4977 with the teachings of Fosmark to include the second processing circuitry that receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Hyun teaches “service request device, first/second service server and digital identity management device” for processing authentication information, see Fig. 8A, the combination does not teach “wherein the first organization system comprises an authentication device of the first organization, wherein the authentication device of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message”.
In a same field of endeavor, Thakore discloses the system, wherein the first organization system comprises an authentication device of the first organization, wherein the authentication device of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message (col. 7 ln.55-59, The client SD 76 may be generated by concatenating the RandomNonce with the client DTCP certificate and thereafter encrypting the concatenation [“encrypted hello message”] with the private key assigned to the client).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark, Zheng and Uhr_4977 with the teachings of Thakore to include the first organization system comprising an authentication device of the first organization, wherein the authentication device of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message. One of ordinary skill in the art would have been motivated to make this modification because authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information (Abs.).

Regarding claim 16, the combination of Hyun, Uhr_6147, Thakore, Zheng and Uhr_4977 teaches all elements of the current invention as stated in claim 14 above. Fosmark further discloses The authentication system according to claim 14, wherein the second processing circuitry receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct (col. 10 ln. 27-40, Upon receipt of the message 330 [“signature message”], the mobile device 112 may decrypt the message, verify the signature using the public key of the entity data processing system 104 and display 335 a request for a user input to verify that the user is the authorized user of the device (e.g., PIN, password, biometric input, gesture, motion, etc.). In an alternative embodiment, the mobile device 112 may verify the signature of the message 330 using the public key of the trusted third party data processing system 106).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Thakore, Zheng and Uhr_4977 with the teachings of Fosmark to include the second processing circuitry that receives the signature message, acquires a client public key of the first user from the client certificate of the first user, decrypts the signature message using the client public key of the first user, and if the decrypted signature message matches the hello message, decides that the signature message is correct. One of ordinary skill in the art would have been motivated to make this modification because a secure sockets layer (SSL) certificate may need to exist for this URL and be signed by a Certificate Authority. Therefore, the public key of this certificate can be used for future authentications (col. 6 ln. 55-60).
Although Hyun teaches “service request device, first/second service server and digital identity management device” for processing authentication information, see Fig. 8A, the combination does not teach “wherein the first organization system comprises the user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message.”
In a same field of endeavor, Thakore further discloses the system, wherein the first organization system comprises the user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message (col. 7 ln.55-59, The client SD 76 may be generated by concatenating the RandomNonce with the client DTCP certificate and thereafter encrypting the concatenation [“encrypted hello message”] with the private key assigned to the client).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Zheng and Uhr_4977 with the teachings of Thakore to include the first organization system comprising the user terminal of the first organization, wherein the user terminal of the first organization comprises processing circuitry to encrypt the hello message using a client private key of the first user, and to send the encrypted hello message to the authentication system as the signature message. one of ordinary skill in the art would have been motivated to make this modification because authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information (Abs.).


Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over HYUN et al. (US 20180294966 A1 hereinafter “Hyun”) in view of UHR et al. (US 20190306147 A1 hereinafter “Uhr_6147”) in view of Fosmark et al. (US 10592872 B2 hereinafter “Fosmark”) and further in view of Thakore et al. (US 10911435 B2 hereinafter “Thakore”) as applied to claim 1 above, and further in view of Qiu (US 11057222 B2).
Regarding claim 3, (Currently Amended) the combination of Hyun, Uhr_6147, Fosmark and Thakore discloses the authentication system according to claim 1, wherein if the client certificate of the first user is correct, the first processing circuitry registers the client certificate of the first user in the client certificate blockchain (Uhr_6147: col. 10 ln. 48-52, At step 402, the user device 104 verifies the user identity information of the user 102. At step 404, the user device 104 signs the first trust certificate and the second trust certificate using the user private key of the user 102 on the blockchain 116 via the network 110).
However, the combination of Hyun and Uhr_6147 may not explicitly discloses, but Qiu, which is a same field of endeavor, discloses the system, wherein the first processing circuitry accepts a registration transaction for a certificate authority certificate of the first organization, wherein when the registration transaction for the certificate authority certificate of the first organization is accepted, the first processing circuitry registers the certificate authority certificate of the first organization in a certificate authority certificate blockchain (col. 7 ln. 1-8, S101: Receive a digital certificate linking request sent by a node in a blockchain, where the digital certificate linking request includes a to-be-verified digital certificate that is generated by the node through signing by using a private key, and is used to request to write the to-be-verified digital certificate into the blockchain. S103: Determine a consensus verification result of the to-be-verified digital certificate of the node), 
wherein when the registration transaction for the client certificate of the first user is accepted, the first processing circuitry verifies the client certificate of the first user using the certificate authority certificate of the first organization in the certificate authority certificate blockchain (col. 7 ln. 9-21, S105: Determine, based on the consensus verification result, whether to write the to-be-verified digital certificate into the blockchain. The node can sign, by itself using a private key disclosed in the blockchain, to generate the to-be-verified digital certificate, and further send the digital certificate linking request including the to-be-verified digital certificate).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark and Thakore with the teachings of Qiu to include the first processing circuitry that accepts a registration transaction for a certificate authority certificate of the first organization, wherein when the registration transaction for the certificate authority certificate of the first organization is accepted, the first processing circuitry registers the certificate authority certificate  of the first organization in a certificate authority certificate blockchain, wherein when the registration transaction for the client certificate of the first user is accepted, the first processing circuitry verifies the client certificate of the first user using the certificate authority certificate of the first organization in the certificate authority certificate blockchain. One of ordinary skill in the art would have been motivated to make this modification because a blockchain can be requested to write the to-be-verified digital certificate into the blockchain. Therefore, the node can send the digital certificate linking request in a network-wide broadcast method (col. 7 ln. 19-23).


Claims 7 and 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over HYUN et al. (US 20180294966 A1 hereinafter “Hyun”) in view of UHR et al. (US 20190306147 A1 hereinafter “Uhr_6147”) in view of Fosmark et al. (US 10592872 B2 hereinafter “Fosmark”) and further in view of Thakore et al. (US 10911435 B2 hereinafter “Thakore”) as applied to respective claims 5, 6, 9 and 10 above, and further in view of Leggette (US 10325110 B2).
Regarding claim 7, (Original) the combination of Hyun, Uhr_6147, Fosmark and Thakore not explicitly teach, but Leggette, which is a same field of endeavor, discloses the authentication system according to claim 5, wherein the first organization system comprises a certificate authority device of the first organization, wherein the certificate authority device of the first organization comprises processing circuitry to generate a signature using a certificate authority private key of the first organization, and to generate the client certificate of the first user to include the generated signature (col. 53 ln. 29-33, the certificate authority module 512 applies a hashing function over the CA certificate to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate 548), and 
wherein when the registration transaction for the client certificate of the first user is accepted, the first processing circuitry acquires a certificate authority public key of the first organization from the certificate authority certificate of the first organization, verifies the signature using the certificate authority public key of the first organization, and if the signature is correct, decides that the client certificate of the first user is correct (col. 53 ln. 38-58, Having generated the CA certificate 518, certificate authority 512 sends the CA certificate 518 to the plurality of entities of the DSN. The certificate verification module 514 verifies the received CA certificate 518 to produce a verified CA certificate 530. As a specific example, the certificate verification module 514 applies the hashing function over the received CA certificate 518 (e.g., not including the signature) to produce a generated hashed value, extracts the public key of the CA 546 from the received CA certificate 518, extracts the signature over the CA certificate 548 from the received CA certificate 518, decrypts the extracted signature utilizing the extracted public key of the CA 546 to produce a recovered hashed value, and indicates that the received CA certificate 518 is favorably verified when the recovered hash value compares favorably (e.g., substantially the same) to the generated hash value).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark and Thakore with the teachings of Leggette to include a certificate authority device of the first organization that comprises processing circuitry to generate a signature using a certificate authority private key of the first organization, and to generate the client certificate of the first user to include the generated signature, and wherein when the registration transaction for the client certificate of the first user is accepted, the first processing circuitry acquires a certificate authority public key of the first organization from the certificate authority certificate of the first organization, verifies the signature using the certificate authority public key of the first organization, and if the signature is correct, decides that the client certificate of the first user is correct. One of ordinary skill in the art would have been motivated to make this modification because it may allow to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate. Further, the certificate may apply a signing function to the CA certificate using the private key of the public/private keeper to produce the signature over the CA certificate (col. 53 ln. 30-33). Therefore, the owner of the key pair uses their private key to encrypt the signature. In this way, anyone with access to the public key can decrypt the signature and verify that it was signed by the private key owner.

Regarding claim 11, the combination of Hyun, Uhr_6147, Fosmark and Thakore may not explicitly teach, but Leggette discloses the authentication system according to claim 9, wherein the first organization system comprises a certificate authority device of the first organization, and wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user (col. 53 ln. 24-27, the certificate authority module 512 generates a public/private key pair in accordance with a public key infrastructure (PKI) approach, where the public/private key pair includes the public key of the CA 546). 
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark and Thakore with the teachings of Leggette to include a authority device of the first organization, wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user. One of ordinary skill in the art would have been motivated to make this modification because it may allow to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate. Further, the certificate may apply a signing function to the CA certificate using the private key of the public/private keeper to produce the signature over the CA certificate (col. 53 ln. 30-33). Therefore, the owner of the key pair uses their private key to encrypt the signature. In this way, anyone with access to the public key can decrypt the signature and verify that it was signed by the private key owner.

Regarding claim 12, the combination of Hyun, Uhr_6147, Fosmark and Thakore may not explicitly teach, but Leggette discloses the authentication system according to claim 10, wherein the first organization system comprises a certificate authority device of the first organization, and wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user (col. 53 ln. 24-27, the certificate authority module 512 generates a public/private key pair in accordance with a public key infrastructure (PKI) approach, where the public/private key pair includes the public key of the CA 546). 
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark and Thakore with the teachings of Leggette to include a authority device of the first organization, wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user. One of ordinary skill in the art would have been motivated to make this modification because it may allow to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate. Further, the certificate may apply a signing function to the CA certificate using the private key of the public/private keeper to produce the signature over the CA certificate (col. 53 ln. 30-33). Therefore, the owner of the key pair uses their private key to encrypt the signature. In this way, anyone with access to the public key can decrypt the signature and verify that it was signed by the private key owner.

Regarding claim 13, (Original) the combination of Hyun, Uhr_6147, Fosmark and Thakore not explicitly teach, but Leggette, which is a same field of endeavor, discloses the authentication system according to claim 6, wherein the first organization system comprises a certificate authority device of the first organization, wherein the certificate authority device of the first organization comprises processing circuitry to generate a signature using a certificate authority private key of the first organization, and to generate the client certificate of the first user to include the generated signature (col. 53 ln. 29-33, the certificate authority module 512 applies a hashing function over the CA certificate to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate 548), and 
wherein when the registration transaction for the client certificate of the first user is accepted, the first processing circuitry acquires a certificate authority public key of the first organization from the certificate authority certificate of the first organization, verifies the signature using the certificate authority public key of the first organization, and if the signature is correct, decides that the client certificate of the first user is correct (col. 53 ln. 38-58, Having generated the CA certificate 518, certificate authority 512 sends the CA certificate 518 to the plurality of entities of the DSN. The certificate verification module 514 verifies the received CA certificate 518 to produce a verified CA certificate 530. As a specific example, the certificate verification module 514 applies the hashing function over the received CA certificate 518 (e.g., not including the signature) to produce a generated hashed value, extracts the public key of the CA 546 from the received CA certificate 518, extracts the signature over the CA certificate 548 from the received CA certificate 518, decrypts the extracted signature utilizing the extracted public key of the CA 546 to produce a recovered hashed value, and indicates that the received CA certificate 518 is favorably verified when the recovered hash value compares favorably (e.g., substantially the same) to the generated hash value).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark and Thakore with the teachings of Leggette to include a certificate authority device of the first organization that comprises processing circuitry to generate a signature using a certificate authority private key of the first organization, and to generate the client certificate of the first user to include the generated signature, and wherein when the registration transaction for the client certificate of the first user is accepted, the first processing circuitry acquires a certificate authority public key of the first organization from the certificate authority certificate of the first organization, verifies the signature using the certificate authority public key of the first organization, and if the signature is correct, decides that the client certificate of the first user is correct. One of ordinary skill in the art would have been motivated to make this modification because it may allow to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate. Further, the certificate may apply a signing function to the CA certificate using the private key of the public/private keeper to produce the signature over the CA certificate (col. 53 ln. 30-33). Therefore, the owner of the key pair uses their private key to encrypt the signature. In this way, anyone with access to the public key can decrypt the signature and verify that it was signed by the private key owner.


Claims 17 and 18 are  rejected under 35 U.S.C. 103 as being unpatentable over HYUN et al. (US 20180294966 A1 hereinafter “Hyun”) in view of UHR et al. (US 20190306147 A1 hereinafter “Uhr_6147”) in view of Fosmark et al. (US 10592872 B2 hereinafter “Fosmark”) and further in view of Thakore et al. (US 10911435 B2 hereinafter “Thakore”) in view of Zheng (US 20190238311 A1) and in view of Uhr et al. (US 20180294977 A1 hereinafter “Uhr_4977”) as applied to claim 15 and 16 above, and further in view of Leggette (US 10325110 B2).
Regarding claim 17, the combination of Hyun, Uhr_6147, Fosmark, Thakore, Zheng and Uhr_4977 not explicitly teach, but Leggette discloses the authentication system according to claim 15, wherein the first organization system comprises a certificate authority device of the first organization, and wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user (col. 53 ln. 24-27, the certificate authority module 512 generates a public/private key pair in accordance with a public key infrastructure (PKI) approach, where the public/private key pair includes the public key of the CA 546). 
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark, Thakore, Zheng and Uhr_4977 with the teachings of Leggette to include a certificate authority device of the first organization, wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user. One of ordinary skill in the art would have been motivated to make this modification because it may allow to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate. Further, the certificate may apply a signing function to the CA certificate using the private key of the public/private keeper to produce the signature over the CA certificate (col. 53 ln. 30-33). Therefore, the owner of the key pair uses their private key to encrypt the signature. In this way, anyone with access to the public key can decrypt the signature and verify that it was signed by the private key owner.

Regarding claim 18, the combination of Hyun, Uhr_6147, Fosmark, Thakore, Zheng and Uhr_4977 not explicitly teach, but Leggette discloses the authentication system according to claim 16, wherein the first organization system comprises a certificate authority device of the first organization, and wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user (col. 53 ln. 24-27, the certificate authority module 512 generates a public/private key pair in accordance with a public key infrastructure (PKI) approach, where the public/private key pair includes the public key of the CA 546). 
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Hyun, Uhr_6147, Fosmark, Thakore, Zheng and Uhr_4977 with the teachings of Leggette to include a certificate authority device of the first organization, wherein the certificate authority device of the first organization comprises processing circuitry to generate the client private key of the first user. One of ordinary skill in the art would have been motivated to make this modification because it may allow to produce a hashed value and encrypts the hashed value using the private key of the public/private key pair to produce the signature over the CA certificate. Further, the certificate may apply a signing function to the CA certificate using the private key of the public/private keeper to produce the signature over the CA certificate (col. 53 ln. 30-33). Therefore, the owner of the key pair uses their private key to encrypt the signature. In this way, anyone with access to the public key can decrypt the signature and verify that it was signed by the private key owner.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Hang et al. (US 20170359185 A1)- METHOD FOR LOADING WEBSITE SECURITY INFORMATION AND BROWSER APPARATUS: [0046] The browser client sends a client hello message (ClientHello) to the network server, wherein the client hello message includes first encrypted data of the browser client.
Elgamal et al. (US 5657390 A)- Secure Socket Layer Application Program Apparatus And Method: [0027] The client sends to the server, through the sockets connection, a client-hello message which includes the following information: challenge data and cipher.sub.-- specs. In the current implementation of the invention, the challenge data is a random number used to ensure channel integrity as explained below.
Sharifi Mehr (US 20200028699 A1)- Digital certificate management: [0095] the server sends a “Server hello” message to the client including the selected cipher suite, the server's digital certificate, and a value that is randomly generated by the server
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524. The examiner can normally be reached 9:00 AM- 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.S./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493