DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/2/22 was filed after the mailing date of the Claims on 2/4/21.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


3.	Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Avetisov, et al. [US 20210044976]
As per claim 1:     Avetisov teach a method comprising:
determining, at a first node, a platform identifier based on one or more hardware characteristics of the first node; [Avetisov: para 0014; a decentralized identity management system that implements zero-knowledge authentication credentials on a blockchain-based computing platform by which authentication of a user to access another computing device. A “platform identifier” may be given the broadest reasonable interpretation as data or information in association to a platform of a node or device per se. As such, platform identifier data may broadly be a form of a credential. See also para 0025, FIG.6, 0101-0103]
sending the platform identifier to a certification service via non-network communication; [Avetisov: para 0007; “non-network”, per BRI may be in the form of within same system or device to device locally or offline per se. Thus, by an application executing within a client execution environment of a first computing device or establishing, by the application, a set of credentials within a secure memory by a co-processor of a trusted execution environment of the first computing device, the co-processor being a different processor from a central processing unit of the first computing device. Thus, as mentioned above, the credential (identification associated to a platform of the user) is established within co-processor of trusted execution environment (TEE) between (mobile or first node) device and another device, which is a non-network communicative entity. Other examples on para 0152; discussing credentials or signed data in relation to certificate and may be off line values/policies stored (non-network). See also para 0172; an authentication server verify access requests from a mobile device by whether the access request complies with a policy and representations of credentials stored by the user device, or other data, like certificates, such as by signature verification, where data is signed by a private key, or signature key, maintained within a TEE of the user mobile device. The authenticators, like representations, certificates, public key or signature verification key by which data signed with a corresponding private key stored within a TEE]
receiving certificate information associated with the platform identifier from the certification service via the non-network communication; [Avetisov: para 0009, 0172]
generating, at a first node application enclave of the first node [Avetisov: para 0009; i.e. a first application executing on a mobile computing device], a key pair comprising a public key of the first node and an associated private key of the first node; [Avetisov: para 0010-0011, 0055; key pair can broadly be verification key correspond to a private key or a first key of the key pair corresponding to a second key of the key pair. See also para 0083, 0101, 0209]
sending, to a digital certificate manager, a request to generate a signed digital certificate, the request comprising the public key of the first node and the certificate information; [Avetisov: para 0013; Verifying the authentication data was generated by the trusted execution environment and corresponds to the signed data based on the signature key; and transmitting, to the second computing device, based on the verifying, instructions to permit user access to the second computing device. See also para 0103, 0153, 0186; credential certificate and signed certificate]
receiving, from the digital certificate manager, the signed digital certificate comprising the public key of the first node and the certificate information; and [Avetisov: para 0013; receiving, from the mobile computing device, a set of representations corresponding to a set of credentials stored within the trusted execution environment on the mobile computing device and a signature verification key corresponding to a private key of the trusted execution environment. See also para 0049, 0236-0237]
storing, at the first node application enclave, the signed digital certificate. [Avetisov: para 0057, 0104]
Claim 2:  Avetisov: para 0013, 0101; discussing the method of claim 1, wherein the platform identifier is sent to the certification service across an air gap, and the certificate information is received from the certification service across the air gap.
Claim 3:  Avetisov: para 0172, 0186; discussing the method of claim 1, wherein the certificate information comprises a certification key certificate, and the digital certificate manager stores the certificate information in a data store. 
Claim 4:  Avetisov: para 0472; discussing the method of claim 1, wherein the non-network communication comprises removable storage media.
Claim 5:  Avetisov: para 0083, 0237; discussing the method of claim 1, further comprising: determining, at the first node, based on a shared secret accessible to the first node and accessible to the certification service, a certification key.
Claim 6:  Avetisov: para 0068, 0096; discussing the method of claim 5, further comprising: receiving, at the first node, a request from a second node to generate a remote attestation; generating, at the first node application enclave, a local attestation based on a cryptographic hash of contents of the first node application enclave; generating the remote attestation by signing the local attestation using a signing key; and sending the remote attestation to the second node. [Avetisov: para 0143; remote and local]
Claim 7:  Avetisov: para 0153; discussing the method of claim 5, further comprising: receiving, at the first node, a request from a second node to generate an offline attestation certificate; generating, at the first node application enclave, a public key hash value based on a node public key of the first node [Avetisov: para 0096, 0202]; generating, at the first node application enclave, a local attestation based on a cryptographic hash of contents of the first node application enclave, the contents including the public key hash value [Avetisov: para 0209-0210]; generating a remote attestation by signing the local attestation using a signing key; and sending the remote attestation to the second node. [Avetisov: para 0143; remote and local]
Claim 8:  Avetisov: para 0210; discussing the method of claim 6, wherein the signing key comprises the certification key.
Claim 9:  Avetisov: para 0150-0151, 0186; discussing the method of claim 6, further comprising: generating, at a first node remote attestation enclave of the first node, an attestation key pair comprising an attestation public key and an associated attestation private key, wherein the signing key comprises the attestation private key; generating, at the first node remote attestation enclave of the first node, an attestation key certificate by signing the attestation public key using the certification key; and sending the attestation key certificate to the digital certificate manager.
Claim 10:  Avetisov: para 0197-0198; discussing the method of claim 6, further comprising: sending, to the second node, a request to join a cluster of nodes that includes the second node; receiving, from the second node, a master key; and encrypting or decrypting, using the master key, data stored at a storage resource.
Claim 11:  Avetisov: para 0143, 0152; discussing the method of claim 1, further comprising: receiving, at the certification service, the platform identifier from the first node via non-network communication; retrieving, from a certificate data store, the certificate information associated with the platform identifier; and sending, at the certification service, the certificate information associated with the platform identifier to the first node via the non-network communication.
As per claim 12: Avetisov teach a method comprising: 
sending, at a second node, a request to generate a remote attestation to a first node; [Avetisov: para 0047; A user may input credentials via the client computing device for the online account at a log-in page of a website via a browser or similar log-in interface within a native application. The credentials to a remote server participate in an authentication system to determine an authentication, i.e. valid credentials in a zero-knowledge proof governing access to an established identity]
receiving, at the second node, an offline attestation certificate associated with the first node, wherein the offline attestation certificate includes a node public key, a remote attestation, and a certification key (CK) certificate; [Avetisov: para 0012, 0041; include an offline or partial-offline process executed by a mobile computing device that initiates authentication to a relying device. There includes offline access with TEE storing offline values as credentials. See also para 0153; The TEE store within or cryptographically sign data associated with applications, or modules within the trusted execution environment to protect data from being tampered with, read, or modified by an unauthorized entity, and the TEE may release only representations or certain credentials (e.g., offline values or certificates) or decrypt certain data (e.g., offline values or certificates) or sign certain data (e.g., certificates or representations of credentials) subject to user authentication results determined within the TEE]
verifying, at the second node, the offline attestation certificate by: [Avetisov: para 0152-0164]
verifying that the node public key was generated in a secure enclave of the first node; [Avetisov: para 0152; discussing credentials or signed data in relation to certificate and may be off line values/policies stored (non-network). See also para 0172; an authentication server verify access requests from a mobile device by whether the access request complies with a policy and representations of credentials stored by the user device, or other data, like certificates, such as by signature verification, where data is signed by a private key, or signature key, maintained within a TEE of the user mobile device. The authenticators, like representations, certificates, public key or signature verification key by which data signed with a corresponding private key stored within a TEE]
verifying a digital signature included in the remote attestation using at least one digital certificate included in the offline attestation certificate; and [Avetisov: para 0366; the offline values are generated based on the signed user certificate, or other deterministic data, like a public key of the mobile device, or a value associated with the relying device, such as a value or values of one or more registers, or a combination of values. See also para 0383-0384]
responsive to successfully verifying the offline attestation certificate, sending, at the second node, a cluster master key to the first node, wherein the cluster master key is used to encrypt and decrypt data associated with a cluster of nodes that includes the second node. [Avetisov: para 0153; the TEE  may release only representations or certain credentials (e.g., offline values or certificates) or decrypt certain data (e.g., offline values or certificates) or sign certain data (e.g., certificates or representations of credentials) subject to user authentication results determined within the TEE]
Claim 6:  Avetisov: para 0068, 0096; discussing the method of claim 12, wherein verifying, at the second node, that the node public key was generated in a secure enclave of the first node comprises verifying that a cryptographic hash of the node public key is included in the remote attestation. 
Claim 7:  Avetisov: para 0153; discussing the method of claim 12, wherein sending, at the second node, the request to generate the remote attestation is performed in response to receiving, at the second node, a request from the first node to join the cluster of nodes that includes the second node. [Avetisov: para 0143; remote]
Claim 15:  Avetisov: para 0012, 0041; discussing the method of claim 12, wherein verifying a digital signature included in the remote attestation comprises: verifying, using a certification key (CK) certificate included in the offline attestation certificate, a first signature included in the remote attestation; and verifying, using a hardware provider root certificate, a second signature included in the certification key (CK) certificate. [Avetisov: para 0143; remote]
Claim 16:  Avetisov: para 0103, 0150; discussing the method of claim 12, wherein verifying a digital signature included in the remote attestation comprises: verifying, using an attestation key certificate included in the offline attestation certificate, a first signature included in the remote attestation; verifying, using a certification key (CK) certificate included in the offline attestation certificate, a second signature included in the attestation key certificate; and verifying, using a hardware provider root certificate, a third signature included in the certification key (CK) certificate. [Avetisov: para 0172, 0186; 0237; root certificate]
As per claim 17: 	Avetisov teach a system comprising: 
a memory; and 
a processing device communicably coupled to the memory, the processing device to perform operations comprising: 
determining, at a first node, a platform identifier based on one or more hardware characteristics of the first node; [Avetisov: para 0014; a decentralized identity management system that implements zero-knowledge authentication credentials on a blockchain-based computing platform by which authentication of a user to access another computing device. A “platform identifier” may be given the broadest reasonable interpretation as data or information in association to a platform of a node or device per se. As such, platform identifier data may broadly be a form of a credential. See also para 0025, FIG.6, 0101-0103]
sending the platform identifier to a certification service via non-network communication; [Avetisov: para 0007; “non-network”, per BRI may be in the form of within same system or device to device locally or offline per se. Thus, by an application executing within a client execution environment of a first computing device or establishing, by the application, a set of credentials within a secure memory by a co-processor of a trusted execution environment of the first computing device, the co-processor being a different processor from a central processing unit of the first computing device. Thus, as mentioned above, the credential (identification associated to a platform of the user) is established within co-processor of trusted execution environment (TEE) between (mobile or first node) device and another device, which is a non-network communicative entity. Other examples on para 0152; discussing credentials or signed data in relation to certificate and may be off line values/policies stored (non-network). See also para 0172; an authentication server verify access requests from a mobile device by whether the access request complies with a policy and representations of credentials stored by the user device, or other data, like certificates, such as by signature verification, where data is signed by a private key, or signature key, maintained within a TEE of the user mobile device. The authenticators, like representations, certificates, public key or signature verification key by which data signed with a corresponding private key stored within a TEE]
receiving certificate information associated with the platform identifier from the certification service via the non-network communication; [Avetisov: para 0009, 0172] 
generating, at a first node application enclave of the first node [Avetisov: para 0009; i.e. a first application executing on a mobile computing device], a key pair comprising a public key of the first node and an associated private key of the first node; [Avetisov: para 0010-0011, 0055; key pair can broadly be verification key correspond to a private key or a first key of the key pair corresponding to a second key of the key pair. See also para 0083, 0101, 0209] 
sending, to a digital certificate manager, a request to generate a signed digital certificate, the request comprising the public key of the first node and the certificate information; [Avetisov: para 0013; Verifying the authentication data was generated by the trusted execution environment and corresponds to the signed data based on the signature key; and transmitting, to the second computing device, based on the verifying, instructions to permit user access to the second computing device. See also para 0103, 0153, 0186; credential certificate and signed certificate] 
receiving, from the digital certificate manager, a signed digital certificate comprising the public key of the first node and the certificate information; and [Avetisov: para 0013; receiving, from the mobile computing device, a set of representations corresponding to a set of credentials stored within the trusted execution environment on the mobile computing device and a signature verification key corresponding to a private key of the trusted execution environment. See also para 0049, 0236-0237]
storing, at the first node application enclave, the signed digital certificate. [Avetisov: para 0057, 0104] [Avetisov: para]
Claim 18:  Avetisov: para 0013, 0101; discussing the system of claim 17, wherein the platform identifier is sent to the certification service across an air gap, and the certificate information is received from the certification service across the air gap.
Claim 19:  Avetisov: para 0172, 0186; discussing the system of claim 17, wherein the certificate information comprises a certification key certificate, and the digital certificate manager stores the certificate information in a data store.
Claim 20:  Avetisov: para 0472; discussing the system of claim 17, wherein the non-network communication comprises removable storage media.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEYNNA TRUVAN whose telephone number is (571)272-3851. The examiner can normally be reached Monday-Friday 8:00AM-5:00PM, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

LEYNNA TRUVAN
Examiner
Art Unit 2435



/L.TT/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435