Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification 
The specification filed on April 21, 2021 is accepted. 
Drawings
The drawings filed on April 21, 2021 are accepted.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/21/2021 was filed after the mailing date of the application no. 17/236797 on 04/21/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 11-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 
The claims do not fall within at least one of the four categories of patent eligible subject matter because the claims do not include at least one hardware element in the bodies as required by MPEP 2106(I). Claim 1 recites a global identifier server and key pair authentication server, however, since the specification (see para [41 and 46] of instant application) does not limit the server to be only hardware broadly interpreted it also encompass software. Note that a server can be software according to the Wikipedia which states "  server is a piece of computer hardware or software (computer program)". Dependent claims 12-17 are also rejected under 35 USC 101, because they do not cure the deficiencies of independent claims 11.

                                               Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over MALLINSON et al (hereinafter MALLINSON) (US 20200195630) in view of Kim et al (hereinafter Kim) (US 20190075102).

Regarding claim 1 MALLINSON teaches a method for authenticating a user using key pair authentication, comprising: (MALLINSON on [0006] teaches method for authenticating user using public-private key pair);
in response to a user request requesting access to content on a first domain, [[enrolling, by a user device, the user into key pair authentication by generating a private and public key pair for an authentication domain]] (MALLINSON on [0004, 0017-0018 and 0046] teaches user requesting to have access to content of first computing device (i.e. first domain));
requesting, by the user device, access for different content on a second domain (MALLINSON Fig 4 block 604 and text on [0047 and 0060] teaches user request to access secure remote application (i.e. different content) stored on cloud server device 16 (i.e. second domain), receiving at a browser of a local computing device a redirection from a remote secure application to the remote authentication service (i.e. authentication domain) for purposes of authentication and access to the remote secure application. Further teaches once the public key is registered with user at local computing device 12 for accessing local application, there is no need for entering credential again for accessing remote secure application);
 based on enrolling the user into the key pair authentication for the first domain, redirecting, by the user device, a browser from the second domain to the authentication domain (MALLINSON Fig 4 block 604 and text on [0047 and 0060] teaches user request to access secure remote application (i.e. different content) stored on cloud server device 16 (i.e. second domain), receiving at a browser of a local computing device a redirection from a remote secure application to the remote authentication service (i.e. authentication domain) for purposes of authentication and access to the remote secure application. Further teaches once the public key is registered with user at local computing device 12 for accessing local application, there is no need for entering credential again for accessing remote secure application);
and accessing, by the user device, the different content on the second domain based on performing the key pair authentication with the key pair authentication server using the private and public key pair for the authentication domain (MALLINSON Fig 4 block 616-618 and text on [0050-0055] teaches using the public and private key for signing and validating the challenge in order for user to grant access to remote secure application (i.e. different content on second domain)).
Although MALLINSON teaches user registering public-private key pair for subsequent request to access different content on second domain, but fails to explicitly teach in response to a user request requesting access to content on a first domain, enrolling, by a user device, the user into key pair authentication by generating a private and public key pair for an authentication domain, accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain, however Kim from analogous art teaches
in response to a user request requesting access to content on a first domain, enrolling, by a user device, the user into key pair authentication by generating a private and public key pair for an authentication domain (KIM Fig 9 and text on [0216-0217 and 0250] teaches user using the terminal apparatus 100 (i.e. user device) requesting access to application service (i.e. content on first domain) provided by server apparatus 200 by providing login credential and in response generating by the terminal device 100 public and private key pair for enrolling the user with FIDO blockchain system 300);
accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain  (KIM Fig 9 and text on [0216-0217 and 0250] teaches user using the terminal apparatus 100 (i.e. user device) requesting access to application service (i.e. content on first domain in instant case) provided by server apparatus 200 by providing login credential and in response generating by the terminal device 100 public and private key pair for enrolling the user with FIDO blockchain system 300).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by enrolling the user into key pair authentication by generating public-private key pair for accessing domain. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

Regarding claim 2 the combination of MALLINSON and Kim teaches all the limitations of claim 1 above, MALLINSON  further teaches further comprising: based on authenticating user credentials for the first domain, redirecting, by the user device, the browser from the first domain to the authentication domain  (MALLINSON Fig 4 block 604 and text on [0047 and 0060] teaches user request to access secure remote application (i.e. different content) stored on cloud server device 16 (i.e. second domain), receiving at a browser of a local computing device a redirection from a remote secure application to the remote authentication service (i.e. authentication domain) for purposes of authentication and access to the remote secure application. Further teaches once the public key is registered with user at local computing device 12 for accessing local application, there is no need for entering credential again for accessing remote secure application).
 
Regarding claim 3 the combination of MALLINSON and Kim teaches all the limitations of claim 1 above, Kim further teaches wherein the key pair authentication server is a fast identity online (FIDO) server (Kim Fig 1 and text on [0007-0010] teaches FIDO authentication server and device).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by performing authentication using FIDO server. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

Regarding claim 18 MALLINSON teaches a user device comprising (MALLINSON on [0018-0019] teaches a mobile device);
 one or more processors; and a non-transitory computer-readable medium having processor-executable instructions stored thereon, wherein the processor-executable instructions, when executed, facilitate (MALLINSON on [0035 and 0041-0043] teaches processor for executing instruction stored in memory);
in response to a user request requesting access to content on a first domain, [[enrolling the user into key pair authentication by generating a private and public key pair for an authentication domain]] (MALLINSON on [0004, 0017-0018 and 0046] teaches user requesting to have access to content of first computing device (i.e. first domain));
requesting access for different content on a second domain (MALLINSON Fig 4 block 604 and text on [0047 and 0060] teaches user request to access secure remote application (i.e. different content) stored on cloud server device 16 (i.e. second domain), receiving at a browser of a local computing device a redirection from a remote secure application to the remote authentication service (i.e. authentication domain) for purposes of authentication and access to the remote secure application. Further teaches once the public key is registered with user at local computing device 12 for accessing local application, there is no need for entering credential again for accessing remote secure application);
 based on enrolling the user into the key pair authentication for the first domain, redirecting a browser from the second domain to the authentication domain (MALLINSON Fig 4 block 604 and text on [0047 and 0060] teaches user request to access secure remote application (i.e. different content) stored on cloud server device 16 (i.e. second domain), receiving at a browser of a local computing device a redirection from a remote secure application to the remote authentication service (i.e. authentication domain) for purposes of authentication and access to the remote secure application. Further teaches once the public key is registered with user at local computing device 12 for accessing local application, there is no need for entering credential again for accessing remote secure application);
and accessing the different content on the second domain based on performing the key pair authentication with the key pair authentication server using the private and public key pair for the authentication domain (MALLINSON Fig 4 block 616-618 and text on [0050-0055] teaches using the public and private key for signing and validating the challenge in order for user to grant access to remote secure application (i.e. different content on second domain)).

Although MALLINSON teaches user registering public-private key pair for subsequent request to access different content on second domain, but fails to explicitly teach in response to a user request requesting access to content on a first domain, enrolling, by a user device, the user into key pair authentication by generating a private and public key pair for an authentication domain, accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain, however Kim from analogous art teaches
in response to a user request requesting access to content on a first domain, enrolling, by a user device, the user into key pair authentication by generating a private and public key pair for an authentication domain (KIM Fig 9 and text on [0216-0217 and 0250] teaches user using the terminal apparatus 100 (i.e. user device) requesting access to application service (i.e. content on first domain) provided by server apparatus 200 by providing login credential and in response generating by the terminal device 100 public and private key pair for enrolling the user with FIDO blockchain system 300);
accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain  (KIM Fig 9 and text on [0216-0217 and 0250] teaches user using the terminal apparatus 100 (i.e. user device) requesting access to application service (i.e. content on first domain in instant case) provided by server apparatus 200 by providing login credential and in response generating by the terminal device 100 public and private key pair for enrolling the user with FIDO blockchain system 300).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by enrolling the user into key pair authentication by generating public-private key pair for accessing domain. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

Regarding claim 19 the combination of MALLINSON and Kim teaches all the limitations of claim 18 above, MALLINSON further teaches wherein the processor-executable instructions, when executed, further facilitate: based on authenticating user credentials for the first domain, redirecting, by the user device, the browser from the first domain to the authentication domain (MALLINSON Fig 4 block 604 and text on [0047 and 0060] teaches user request to access secure remote application (i.e. different content) stored on cloud server device 16 (i.e. second domain), receiving at a browser of a local computing device a redirection from a remote secure application to the remote authentication service (i.e. authentication domain) for purposes of authentication and access to the remote secure application. Further teaches once the public key is registered with user at local computing device 12 for accessing local application, there is no need for entering credential again for accessing remote secure application).

Regarding claim 20 the combination of MALLINSON and Kim teaches all the limitations of claim 18 above, Kim further teaches wherein the key pair authentication server is a fast identity online (FIDO) server (Kim Fig 1 and text on [0007-0010] teaches FIDO authentication server and device).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by performing authentication using FIDO server. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

Claims 4-6, 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over MALLINSON et al (hereinafter MALLINSON) (US 20200195630) in view of Kim et al (hereinafter Kim) (US 20190075102) and further in view of Cha et al (hereinafter Cha) (US 20140230027).

Regarding claim 4 the combination of MALLINSON and Kim teaches all the limitations of claim 1 above, Kim further teaches further comprising: receiving, from a global identifier server, a global identifier based on the user request (KIM Fig 9 block 402 and text on [0215-0217, 0221 and 0232] teaches user accessing application service running on RP server apparatus 200 (i.e. global identifier server) as request initiated by terminal 100 and in response the RP server 200 may provide string  Authenticator Attestation Globally Unique Identifier (AAGUID) for requesting the unique identifier of the user terminal apparatus 100 to the user authentication information retrieval program 301a of the FIDO blockchain 300.)
wherein the user request comprises a user identifier (KIM Fig 9 block 402 and text on [0215-0217, 0221 and 0232] teaches user providing ID and password for accessing application service).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by enrolling the user into key pair authentication by generating public-private key pair for accessing domain. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

	Although the combination of MALLINSON and Kim teaches determining if the credential identifier is already stored in the database and registering the user in key pair authentication based on determination, but fails to teach determining whether the received global identifier for the user is stored in the key pair authentication server, and based on the received global identifier not being stored in the key pair authentication server, providing user credentials to a first authentication server associated with the first domain, however Cha from analogous art teaches determining whether the received global identifier for the user is stored in the key pair authentication server (Cha Fig 3 and text on [0081-0086] teaches user submitting OIDs identifier to GW 354 (i.e. key pair authentication server), the GW 354 determines if the OID is not in the database, then enrolling the user by redirecting the user to enrolment page of GW 354 and using the signing key S (i.e. public key in instant case) obtain from OPSFg, OIDs (i.e. global identifier) OPloc (i.e. authentication domain in view of [0027]) for completing the enrollment process 310-346 as shown in Fig 3).
 and based on the received global identifier not being stored in the key pair authentication server, providing user credentials to a first authentication server associated with the first domain (Cha Fig 3 and text on [0081-0086] teaches user submitting OIDs identifier to GW 354 (i.e. key pair authentication server), the GW 354 determines if the OID is not in the database, then enrolling the user by redirecting the user to enrolment page of GW 354 and using the signing key S (i.e. public key in instant case) obtain from OPSFg, OIDs (i.e. global identifier) OPloc (i.e. authentication domain in view of [0027]) for completing the enrollment process 310-346 as shown in Fig 3).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Cha into the combined teaching of MALLINSON and Kim by enrolling the user into key pair authentication based on determining that global identifier is not included in the database. One would be motivated to do so in order to authenticate user for the target domain based on the global identifier stored on the source domain without registering the user with the target domain again thereby establishing secure and reliable access to the resource at target domain (Cha on [0002-0004]).   

Regarding claim 5 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 4 above, Cha further teaches wherein enrolling the user for the key pair authentication comprises: providing the global identifier to the key pair authentication server, wherein the key pair authentication server enrolls the user for key pair authentication based on the global identifier and the authentication domain  (Cha Fig 3 and text on [0081-0086] teaches user submitting OIDs identifier to GW 354 (i.e. key pair authentication server), the GW 354 determines if the OID is not in the database, then enrolling the user by redirecting the user to enrolment page of GW 354 and using the signing key S (i.e. public key in instant case) obtain from OPSFg, OIDs (i.e. global identifier) OPloc (i.e. authentication domain in view of [0027]) for completing the enrollment process 310-346 as shown in Fig 3).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Cha into the combined teaching of MALLINSON and Kim by enrolling the user into key pair authentication based on determining that global identifier is not included in the database. One would be motivated to do so in order to authenticate user for the target domain based on the global identifier stored on the source domain without registering the user with the target domain again thereby establishing secure and reliable access to the resource at target domain (Cha on [0002-0004]).   
Regarding claim 6 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 5 above, MALLINSON further teaches wherein enrolling the user for key pair authentication further comprises: in response to providing the global identifier, receiving, by the user device, a challenge and allowed authenticators from the key pair authentication server; (MALLINSON on [0048-0052] teaches providing to the local device a challenge in response to a request for challenge and allowed authentication for the challenge and  providing the signed mobile challenge, the challenge received from the authentication service, and the public key of the public-private key pair to the mobile device. In particular, the signed challenge and the public key can be provided to the mobile credential (e.g., mobile smart card 102);
signing the challenge using the private and public key pair; and providing the signed challenge and a public key of the private and public key pair to the key pair authentication server, (MALLINSON on [0048-0052] teaches providing to the local device a challenge in response to a request for challenge and allowed authentication for the challenge and  providing the signed mobile challenge, the challenge received from the authentication service, and the public key of the public-private key pair to the mobile device. In particular, the signed challenge and the public key can be provided to the mobile credential (e.g., mobile smart card 102);
Kim teaches wherein the key pair authentication server associates and stores the global identifier, the authentication domain, and the public key together (Kim table 1 and text on [0203] teaches recording the global identifier AAGUID, public key and domain information).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by performing authentication using FIDO server. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).
Regarding claim 8 the combination of MALLINSON and Kim teaches all the limitations of claim 1 above, Kim further teaches further comprising: in response to requesting access for the different content on the second domain, receiving a global identifier associated with a user identifier (KIM Fig 9 block 402 and text on [0215-0217, 0221 and 0232] teaches user accessing application service running on RP server apparatus 200 (i.e. global identifier server) as request initiated by terminal 100 and in response the RP server 200 may provide string  Authenticator Attestation Globally Unique Identifier (AAGUID) for requesting the unique identifier of the user terminal apparatus 100 to the user authentication information retrieval program 301a of the FIDO blockchain 300).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by enrolling the user into key pair authentication by generating public-private key pair for accessing domain. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

The combination fails to explicitly teach determining whether the received global identifier for the user is stored in the key pair authentication server, and wherein redirecting the browser from the second domain to the authentication domain is based on determining the received global identifier is already stored in the key pair authentication server, however Cha from analogous art teaches  determining whether the received global identifier for the user is stored in the key pair authentication server, and wherein redirecting the browser from the second domain to the authentication domain is based on determining the received global identifier is already stored in the key pair authentication server (Cha Fig 3 and text on [0081-0086] teaches user submitting OIDs identifier to GW 354 (i.e. key pair authentication server), the GW 354 determines if the OID is not in the database, then enrolling the user by redirecting the user to enrolment page of GW 354 and using the signing key S (i.e. public key in instant case) obtain from OPSFg, OIDs (i.e. global identifier) OPloc (i.e. authentication domain in view of [0027]) for completing the enrollment process 310-346 as shown in Fig 3 and If the identifier is included then the user is directed to for authentication as shown in Fig 4 block 410-440).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Cha into the combined teaching of MALLINSON and Kim by enrolling the user into key pair authentication based on determining that global identifier is not included in the database. One would be motivated to do so in order to authenticate user for the target domain based on the global identifier stored on the source domain without registering the user with the target domain again thereby establishing secure and reliable access to the resource at target domain (Cha on [0002-0004]).   

Regarding claim 9 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 8 above, Kim further teaches wherein accessing the different content on the second domain based on performing the key pair authentication with the key pair authentication server comprises: receiving a challenge and allowed authentications from the key pair authentication server (MALLINSON on [0048-0052] teaches providing to the local device a challenge in response to a request for challenge and allowed authentication for the challenge and  providing the signed mobile challenge, the challenge received from the authentication service, and the public key of the public-private key pair to the mobile device. In particular, the signed challenge and the public key can be provided to the mobile credential (e.g., mobile smart card 102);
signing the challenge using the private and public key pair for the authentication domain (MALLINSON on [0048-0052] teaches providing to the local device a challenge in response to a request for challenge and allowed authentication for the challenge and  providing the signed mobile challenge, the challenge received from the authentication service, and the public key of the public-private key pair to the mobile device. In particular, the signed challenge and the public key can be provided to the mobile credential (e.g., mobile smart card 102);
providing the signed challenge to the key pair authentication server, wherein the key pair authentication server validates the signed challenge with a stored public key associated with the authentication domain (MALLINSON on [0052] teaches validating the signed challenge at the mobile device, and in particular at the mobile smart card 102. Validating the challenge can include use of the public key that is generated as part of the public/private key pair at the authentication user interface and/or browser. It can also include, for example, requesting user authentication credentials at the mobile device 14 to register the received public key, and subsequently registering the public key at the mobile smart card 102.)
 and accessing the different content on the second domain based on the validation (MALLINSON Fig 4 block 618 and text on [0054-0055] teaches accessing the secure application based on validating challenge).

Claims 7 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over MALLINSON et al (hereinafter MALLINSON) (US 20200195630) in view of Kim et al (hereinafter Kim) (US 20190075102) in view of Cha et al (hereinafter Cha) (US 20140230027) and further in view of POCHUEV et al (hereinafter POCHUEV) (US 20200145409).

Regarding claim 7 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 6 above, the combination fails to explicitly teach based on providing the signed challenge and the public key, receiving a signed JSON web token (JWT) from the key pair authentication server; and trading the signed JWT for a valid OpenID Connect (OIDC) token with a resource manager server, wherein the valid OIDC token is used to access the content on the first domain, however POCHUEV from analogous art teaches based on providing the signed challenge and the public key, receiving a signed JSON web token (JWT) from the key pair authentication server; and trading the signed JWT for a valid OpenID Connect (OIDC) token with a resource manager server, wherein the valid OIDC token is used to access the content on the first domain (POCHUEV on [0074 and 0103] teaches RoT identity server 114 returns to the authentication policy server 112 an authentication response 1307 and the authentication policy server 112 returns two tokens describing the authentication parameters. One token may be the identity token, as specified by OpenID Connect protocol, which includes among other things the identity of the device (its alias). This token is formatted as JSON with token and can be signed by the asymmetric key of the authentication policy server 112  to be verified by the provisioning policy server 116. The other token may be the access token, which includes signed attestation data that can be validated by the device provisioning service 106. An example of this data may be the application's public key, which can be used as a basis for certificate issuance by the provisioning server 118).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of POCHUEV into the teaching of MALLINSON, Kim and Cha by having signed JSON web toke for OpenID connect to access the content on first domain. One would be motivated to do so in order to allow secure communication based on JSON web Token between different entities (POCHUEV on [0001]).

Regarding claim 10 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 1 above, the combination fails to explicitly teach wherein accessing the different content based on the validation comprises: receiving a signed JSON web token (JWT) based on the key pair authentication server validating the signed challenge; and trading the signed JWT for a valid OpenID Connect (OIDC) token with a resource manager server, wherein the valid OIDC token is used to access the different content on the second domain, however POCHUEV from analogous art teaches wherein accessing the different content based on the validation comprises: receiving a signed JSON web token (JWT) based on the key pair authentication server validating the signed challenge; and trading the signed JWT for a valid OpenID Connect (OIDC) token with a resource manager server, wherein the valid OIDC token is used to access the different content on the second domain (POCHUEV on [0074 and 0103] teaches RoT identity server 114 returns to the authentication policy server 112 an authentication response 1307 and the authentication policy server 112 returns two tokens describing the authentication parameters. One token may be the identity token, as specified by OpenID Connect protocol, which includes among other things the identity of the device (its alias). This token is formatted as JSON with token and can be signed by the asymmetric key of the authentication policy server 112  to be verified by the provisioning policy server 116. The other token may be the access token, which includes signed attestation data that can be validated by the device provisioning service 106. An example of this data may be the application's public key, which can be used as a basis for certificate issuance by the provisioning server 118).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of POCHUEV into the teaching of MALLINSON, Kim and Cha by having signed JSON web toke for OpenID connect to access the content on first domain. One would be motivated to do so in order to allow secure communication based on JSON web Token between different entities (POCHUEV on [0001]).

Claims 11-15 are rejected under 35 U.S.C. 103 as being unpatentable over MALLINSON et al (hereinafter MALLINSON) (US 20200195630) in view of Kim et al (hereinafter Kim) (US 20190075102) and further in view of Cha et al (hereinafter Cha) (US 20140230027).

Regarding claim 11 MALLINSON teaches a system for authenticating a user using key pair authentication, the system comprising: (MALLINSON on [0006] teaches system and method for authenticating user using public-private key pair);
[[a global identifier server configured to: provide a global identifier associated with the user based on a user request, from a user device,]] requesting access to content on a first domain (MALLINSON on [0004, 0017-0018 and 0046] teaches user requesting to have access to content of first computing device (i.e. first domain));
wherein the public key is from a private and public key pair for the authentication domain (MALLINSON on [0050] teaches public-private key pair);
based on enrolling the user in key pair authentication and in response to a second user request to request access to different content on a second domain, provide instructions to redirect the user device to the authentication domain (MALLINSON Fig 4 block 604 and text on [0047 and 0060] teaches user request to access secure remote application (i.e. different content) stored on cloud server device 16 (i.e. second domain), receiving at a browser of a local computing device a redirection from a remote secure application to the remote authentication service (i.e. authentication domain) for purposes of authentication and access to the remote secure application. Further teaches once the public key is registered with user at local computing device 12 for accessing local application, there is no need for entering credential again for accessing remote secure application);
and perform the key pair authentication with the user device for the second domain using the public key from the private and public key pair for the authentication domain (MALLINSON Fig 4 block 616-618 and text on [0050-0055] teaches using the public and private key for signing and validating the challenge in order for user to grant access to remote secure application).
Although MALLINSON teaches user registering public-private key pair for subsequent request to access different content on second domain, but fails to explicitly teach a global identifier server configured to: provide a global identifier associated with the user based on a user request, from a user device, requesting access to content on a first domain and a key pair authentication server configured to: based on determining the global identifier associated with the user does not exist within the key pair authentication server, enroll the user in key pair authentication using the global identifier, an authentication domain, and a public key received from the user device, however Kim from analogous art teaches a global identifier server configured to: provide a global identifier associated with the user based on a user request, from a user device, requesting access to content on a first domain (KIM Fig 9 block 402 and text on [0215-0217, 0221 and 0232] teaches user accessing application service running on RP server apparatus 200 (i.e. global identifier server) as request initiated by terminal 100 and in response the RP server 200 may provide string  Authenticator Attestation Globally Unique Identifier (AAGUID) for requesting the unique identifier of the user terminal apparatus 100 to the user authentication information retrieval program 301a of the FIDO blockchain 300).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by providing global identifier in response to users request for accessing content on first domain. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).
	Although the combination teaches enrolling the user into key pair authentication based on determining that the credential identifier is not already stored in the database, but fails to explicitly teach and a key pair authentication server configured to: based on determining the global identifier associated with the user does not exist within the key pair authentication server, enroll the user in key pair authentication using the global identifier, an authentication domain, and a public key received from the user device, however Cha from analogous art teaches a key pair authentication server configured to: based on determining the global identifier associated with the user does not exist within the key pair authentication server, enroll the user in key pair authentication using the global identifier, an authentication domain, and a public key received from the user device (Cha Fig 3 and text on [0081-0086] teaches user submitting OIDs identifier to GW 354 (i.e. key pair authentication server), the GW 354 determines if the OID is not in the database, then enrolling the user by redirecting the user to enrolment page of GW 354 and using the signing key S (i.e. public key in instant case) obtain from OPSFg, OIDs (i.e. global identifier) OPloc (i.e. authentication domain in view of [0027]) for completing the enrollment process 310-346 as shown in Fig 3).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Cha into the combined teaching of MALLINSON and Kim by enrolling the user into key pair authentication based on determining that global identifier is not included in the database. One would be motivated to do so in order to authenticate user for the target domain based on the global identifier stored on the source domain without registering the user with the target domain again thereby establishing secure and reliable access to the resource at target domain (Cha on [0002-0004]).   

Regarding claim 12 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 11 above, Kim further teaches wherein the key pair authentication server is a fast identity online (FIDO) server (Kim Fig 1 and text on [0007-0010] teaches FIDO authentication server and device).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by performing authentication using FIDO server. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

Regarding claim 13 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 11 above, MALLINSON further teaches wherein the key pair authentication server is configured to enroll the user in the key pair authentication by providing, to the user device, a challenge and allowed authenticators (MALLINSON on [0048-0052] teaches providing to the local device a challenge in response to a request for challenge and allowed authentication for the challenge and  providing the signed mobile challenge, the challenge received from the authentication service, and the public key of the public-private key pair to the mobile device. In particular, the signed challenge and the public key can be provided to the mobile credential (e.g., mobile smart card 102);
receiving, from the user device, a signed challenge and the public key of the private and public key pair for the authentication domain (MALLINSON on [0048-0052] teaches providing to the local device a challenge in response to a request for challenge and allowed authentication for the challenge and  providing the signed mobile challenge, the challenge received from the authentication service, and the public key of the public-private key pair to the mobile device. In particular, the signed challenge and the public key can be provided to the mobile credential (e.g., mobile smart card 102).
Kim teaches associating the global identifier, the authentication domain, and the public key together (Kim table 1 and text on [0203] teaches recording the global identifier AAGUID, public key and domain information).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Kim into the teaching of MALLINSON by providing global identifier in response to users request for accessing content on first domain. One would be motivated to do so in order to enable application services of multiple domains to securely share and use FIDO authentication information of a user without any trusted third party (Kim on [0018]).

Regarding claim 14 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 13 above, MALLINSON further teaches wherein the signed challenge is a challenge that is signed by the user device using a private key of the private and public key pair for the authentication domain (MALLINSON on [0005-0007 and 0050-0052] teaches signing the challenge using the private key of public-private key pair).
Regarding claim 15 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 13 above, KIM further teaches wherein the key pair authentication server provides the allowed authenticators by providing one or more biometric requests to the user device, wherein the biometric requests request a biometric marker associated with the user (Kim on [0071, 0249 and 0445] teaches biometric authentication using fingerprint).
The motivation for combining is same as set forth above in claim 11.

Claims 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over MALLINSON et al (hereinafter MALLINSON) (US 20200195630) in view of Kim et al (hereinafter Kim) (US 20190075102) in view of Cha et al (hereinafter Cha) (US 20140230027) and further in view of POCHUEV et al (hereinafter POCHUEV) (US 20200145409).

Regarding claim 16 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 13 above, the combination fails to explicitly teach wherein the key pair authentication server is further configured to: based on enrolling the user in the key pair authentication, providing a signed JSON web token (JWT) for accessing the content on the first domain however POCHUEV from analogous art teaches wherein the key pair authentication server is further configured to: based on enrolling the user in the key pair authentication, providing a signed JSON web token (JWT) for accessing the content on the first domain (POCHUEV on [0074 and 0103] teaches RoT identity server 114 returns to the authentication policy server 112 an authentication response 1307 and the authentication policy server 112 returns two tokens describing the authentication parameters. One token may be the identity token, as specified by OpenID Connect protocol, which includes among other things the identity of the device (its alias). This token is formatted as JSON with token and can be signed by the asymmetric key of the authentication policy server 112  to be verified by the provisioning policy server 116. The other token may be the access token, which includes signed attestation data that can be validated by the device provisioning service 106. An example of this data may be the application's public key, which can be used as a basis for certificate issuance by the provisioning server 118).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of POCHUEV into the combined teaching of MALLINSON, Kim and Cha by having signed JSON web toke for OpenID connect to access the content on first domain. One would be motivated to do so in order to allow secure communication based on JSON web Token between different entities (POCHUEV on [0001]).

Regarding claim 17 the combination of MALLINSON, Kim and Cha teaches all the limitations of claim 11 above, the combination fails to explicitly teach wherein the key pair authentication server is further configured to: based on performing the key pair authentication with the user device for the second domain using the public key from the private and public key pair for the authentication domain, providing a signed JSON web token (JWT) for accessing the different content on the second domain, however POCHUEV from analogous art teaches wherein the key pair authentication server is further configured to: based on performing the key pair authentication with the user device for the second domain using the public key from the private and public key pair for the authentication domain, providing a signed JSON web token (JWT) for accessing the different content on the second domain (POCHUEV on [0074 and 0103] teaches RoT identity server 114 returns to the authentication policy server 112 an authentication response 1307 and the authentication policy server 112 returns two tokens describing the authentication parameters. One token may be the identity token, as specified by OpenID Connect protocol, which includes among other things the identity of the device (its alias). This token is formatted as JSON with token and can be signed by the asymmetric key of the authentication policy server 112  to be verified by the provisioning policy server 116. The other token may be the access token, which includes signed attestation data that can be validated by the device provisioning service 106. An example of this data may be the application's public key, which can be used as a basis for certificate issuance by the provisioning server 118).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of POCHUEV into the combined teaching of MALLINSON, Kim and Cha by having signed JSON web toke for OpenID connect to access the content on first domain. One would be motivated to do so in order to allow secure communication based on JSON web Token between different entities (POCHUEV on [0001]).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Leicher et al (US 20130191884) is directed towards system for implementing identity management mechanisms, such as mechanisms associated with an OpenID Connect protocol for example, on a user equipment (UE). In an example embodiment, a user equipment (UE) and a service provider (SP) may communicate via a network. A user of the UE may request access to a service that is provided by the SP.
Haulund (US 20130173915) is directed towards systems and methods for user authentication on a network and more particularly to systems and methods for using a code scanning handheld such as a cellular telephone to provide expedited user authentication to a website.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522. The examiner can normally be reached 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOEEN KHAN/              Examiner, Art Unit 2436