Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 11388594 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant
 application is fully disclosed in the referenced patent and the instant application are claiming common subject matter as follows: the instant claims are directed towards a variant/species of the referenced patent wherein all of the features are anticipated.
	A side-by-side comparison of independent claims 1, 8, and 15 of the pending application and claims 1, 8, and 15 of the U.S. Patent No. US 11070373 B2 is given in the following table to show their similarities and differences:
Instant US Patent Application 17,807,393
U.S. Patent No. US 11388594 B2
1. A method, comprising: establishing, by a first device associated with a network service provider, a network connection with a second device; 
1. A method, comprising: establishing, by a first wireless access device associated with a network service provider, a wireless local area network (WLAN) connection with a second wireless access device;
1. providing, by the first device, and based on an authentication certificate, limited connectivity to the second device for one or more destinations associated with an identifier in a whitelist, 
1. providing, by the first wireless access device, after determining whether the certificate is signed by a certificate authority and before performing a mutual authentication procedure with the second wireless access device, and based on determining that the certificate is expired or revoked, limited connectivity to the second wireless access device for one or more destinations that match a destination identifier in a whitelist,
1. wherein the one or more destinations correspond to at least one of a certificate authority, or one or more servers that maintain one or more unique identifiers associated with a plurality of third devices that are associated with the first device; 
1. wherein the one or more destinations correspond to at least one of the certificate authority, or one or more servers that maintain one or more unique identifiers associated with one or more other devices that are paired with the second wireless access device;
1. performing, by the first device and based on providing the limited connectivity to the second device, an authentication procedure with the second device; 
1. performing, by the first wireless access device and based on providing the limited connectivity to the second wireless access device, the mutual authentication procedure with the second wireless access device based on one or more ephemeral keys,    
1. maintaining, by the first device and based on the authentication procedure being successful, the network connection; and 
1. maintaining the WLAN connection when the receipt is verified; and
1. providing, by the first device and based on the authentication procedure being successful, wide area network (WAN) access to the second device.
1. providing the second wireless access device with access to a wide area network (WAN) based on successful completion of the mutual authentication procedure.
Instant US Patent Application 17,807,393
U.S. Patent No. US 11388594 B2
8. A first device, comprising: one or more processors configured to: establish a network connection with a second device;
8. A first wireless access device associated with a network service provider, comprising: one or more memories; and one or more processors, communicatively coupled to the one or more memories, to: establish a wireless local area network (WLAN) connection with a second wireless access device, 
8. provide, based on an authentication certificate, limited connectivity to the second device for one or more destinations associated with an identifier in a whitelist,
8. provide, after determining whether the certificate is signed by a certificate authority and before performing a mutual authentication procedure with the second wireless access device, and based on determining that the certificate is expired or revoked, limited connectivity to the second wireless access device for one or more destinations that match a destination identifier in a whitelist, 
8. wherein the one or more destinations correspond to at least one of the certificate authority, or one or more servers that maintain one or more unique identifiers associated with a plurality of third devices that are associated with the first device; 
8. wherein the one or more destinations correspond to at least one of the certificate authority, or one or more servers that maintain one or more unique identifiers associated with one or more other devices that are paired with the second wireless access device; 
8. perform, based on providing the limited connectivity to the second device, an authentication procedure with the second device; 
8. perform, based on providing the limited connectivity to the second wireless access device, the mutual authentication procedure with the second wireless access device based on one or more ephemeral keys, wherein performing the mutual authentication procedure with the second wireless access device comprises: derive a keyset from one or more shared secrets that are calculated based on a private ephemeral key and a public key included in the certificate; calculate a receipt based on the derived keyset; and determine whether the receipt is verified based on the derived keyset; 
8. maintain, based on the authentication procedure being successful, the network connection; and 
8. maintain the WLAN connection when the receipt is verified; and
8. provide, based on the authentication procedure being successful, wide area network (WAN) access to the second device.
8. provide the second wireless access device with access to a wide area network (WAN) based on successful completion of the mutual authentication procedure.
Instant US Patent Application 17,807,393
U.S. Patent No. US 11388594 B2
15. A non-transitory computer-readable medium storing a set of instructions, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a first device, cause the first device to: establish a network connection with a second device; 
15. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors of a first wireless access device associated with a network service provider, cause the one or more processors to: establish a wireless local area network (WLAN) connection with a second wireless access device, 
15. provide, based on an authentication certificate, limited connectivity to the second device for one or more destinations associated with an identifier in a whitelist, 
15. provide, after determining whether the certificate is signed by a certificate authority and before performing a mutual authentication procedure with the second wireless access device, and based on determining that the certificate is expired or revoked, limited connectivity to the second wireless access device for one or more destinations that match a destination identifier in a whitelist, 
15. wherein the one or more destinations correspond to at least one of the certificate authority, or one or more servers that maintain one or more unique identifiers associated with a plurality of third devices that are associated with the first device; 
15.   wherein the one or more destinations correspond to at least one of the certificate authority, or one or more servers that maintain one or more unique identifiers associated with one or more other devices that are paired with the second wireless access device; 
15. perform, based on providing the limited connectivity to the second device, an authentication procedure with the second device; 
15. perform, based on providing the limited connectivity to the second wireless access device, the mutual authentication procedure with the second wireless access device based on one or more ephemeral keys based on determining that the second wireless access device is authorized to connect to the first wireless access device, 
15. maintain, based on the authentication procedure being successful, the network connection; and 
15. maintain the WLAN connection when the receipt is verified; and 
15. provide, based on the authentication procedure being successful, wide area network (WAN) access to the second device.
15. provide the second wireless access device with access to a wide area network (WAN) based on successful completion of the mutual authentication procedure.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter; specifically, it is directed towards software, per se.
	Claims 8 recites “one or more processors configured to” and the processor is not tied to any hardware. Therefore, in broadest reasonable interpretation processor could be software.
	Claims 9-14 are dependent claims of claim 8 and do not add any element to correct the above issue.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-5, 7, 8, 10-12, 14, 15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of VASS et al. (US 20200204527), hereinafter VASS in view of Nix (US 20190313246), hereinafter Nix in view of Nix (US 10169587), hereinafter Nix (2) in view of Perlman (US 20020191797), hereinafter Perlman. 
	Regarding Claims 1, and 8, Miyabayashi teaches
	A method, comprising: establishing, by a first device associated with a network service provider, a network connection with a second device (Para [0029] FIG. 1 is an explanatory diagram illustrating a configuration example of a communication system according to an embodiment of the present invention.  Para [0125] First, the network mode of WLANs will be described with reference to FIG. 13. FIG. 13 is an explanatory diagram illustrating an example of the network mode of WLANs. Para [0126] The network modes in WLANs include an infrastructure mode, and ad-hoc mode. In many cases, the infrastructure mode is frequently employed wherein a single access point (hereafter, AP) is connected with multiple base stations (hereafter, BS). In the case of the infrastructure mode, an AP belongs to a local area network constructed by cable or by radio. Also, an AP is connected to various types of local server);
	providing, by the first device and based on the authentication procedure being successful, wide area network (WAN) access to the second device (Para [0317] With a WPS network, data is encrypted at the time of authenticating each device. That is to say, information and network certificates are exchanged securely within space by employing the extensible authentication protocol (EAP). The WPA2 is employed as an authentication protocol. In a case where authentication is executed mutually by devices, and a client is permitted over a network, connection is performed).
	Miyabayashi does not explicitly teach a method providing, by the first device, and based on an authentication certificate, limited connectivity to the second device for one or more destinations associated with an identifier in a whitelist.
	In the same field of endeavor, VASS teaches
	providing, by the first device, and based on an authentication certificate, limited connectivity to the second device for one or more destinations associated with an identifier in a whitelist (Para [0600] …Upon successful registration a signed device certificate is generated, stored, and communicated back to the device for consequent communications. Para [0601] Device registration is a necessary step in joining the Z-Platform infrastructure, as clients are required to satisfy the platform's 2-way mutual TLS authentication requirements using client-side X.509 authentications. Upon a client establishing a TLS connection, the presented client certificate is checked for validity (verifying if it was signed by Z-Platform's Client SubCA--discussed in greater detail elsewhere herein) and if the certificate has been black-listed or not. Para [0197] The platform's Core Services also provide device management functions, including but not limited to device registration (utilizing a one-way ID transformation), authentication, assignments (both user and application), and usage restrictions. When a device first gets registered, it only has access to a limited set of services to enable the user (or the system) to execute proper assignments (certain devices may or may not have access to applications and/or users)).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of Miyabayashi to incorporate the teachings of VASS such that the method of Miyabayashi includes providing, by the first device, and based on an authentication certificate, limited connectivity to the second device for one or more destinations associated with an identifier in a whitelist.  One would have been motivated to make such combination in order to satisfy the platform's 2-way mutual TLS authentication requirements (VASS, Para [0601]), and enable the user (or the system) to execute proper assignments (VASS, Para [0197]). 
	The combination of Miyabayashi and VASS does not explicitly teach a method wherein the one or more destinations correspond to at least one of a certificate authority, or one or more servers that maintain one or more unique identifiers associated with a plurality of third devices that are associated with the first device.
 	In the same field of endeavor Nix teaches
	wherein the one or more destinations correspond to at least one of a certificate authority, or one or more servers that maintain one or more unique identifiers associated with a plurality of third devices that are associated with the first device (Para [0039] Device 101 can include manufactured secure processing environment (not shown). The manufactured secure processing environment can also be referred to as a secure enclave or secure element. Device 101 can comprise functionality of a processor such as an ARM.RTM. or Intel.RTM. based processor to secure cryptographic key materials including private keys in public key infrastructure (PM) key pairs, secret shared keys, cryptographic parameters, cryptographic algorithms, a certificate 107a for the device 101 certificate authority, a root certificate 109a, etc. Para [0060] For a set of default credentials 103 in a device database 122x, ID.device 101b can correspond to a unique identifier for device 101, and the use of a ID.device 101b is depicted and described in connection with FIG. 1e below. In exemplary embodiments, ID.device 101b can comprise a MAC addresses used with a physical radio 101i interface. Or, ID.device 101b could comprise an international mobile equipment identifier (IEMI), and other possibilities exist as well for a unique device ID ID).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi and VASS to incorporate the teachings of Nix such that the method of the combination of Miyabayashi and VASS includes wherein the one or more destinations correspond to at least one of a certificate authority, or one or more servers that maintain one or more unique identifiers associated with a plurality of third devices that are associated with the first device.  One would have been motivated to make such combination in order to provide certificate authority and a serial number/identifier for cert0.device (Nix, Para [0108]).
	The combination of Miyabayashi, VASS, and Nix does not explicitly teach a method performing, by the first device and based on providing the limited connectivity to the second device, an authentication procedure with the second device.
 	In the same field of endeavor Nix (2) teaches
	performing, by the first device and based on providing the limited connectivity to the second device, an authentication procedure with the second device (Col. 17, lines 25-41, FIG. 1c is a graphical illustration of a device provisioning protocol for (i) authentication and configuration of a responder and (ii) authentication of an initiator, in accordance with conventional technology. FIG. 1c depicts a summary of the WiFi Device Provisioning Protocol (DPP) specification, version 1.0 which was published on Apr. 9, 2018, supporting a mutual authentication 142 by both initiator 102* and responder 101x. The summary depicted in FIG. 1c highlights recorded bootstrap PKI keys, derived ephemeral PKI keys, and messages transmitted and received between an initiator 102* and a responder 101x. Many of (i) the PKI keys for initiator 102* and responder 101x, and (ii) the messages transmitted between the nodes are equivalent to those depicted and described in connection with FIG. 1b. This description of FIG. 1c herein focuses upon the differences from FIG. 1b in order for initiator 102* and responder 101x to mutually authenticate).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, VASS, and Nix to incorporate the teachings of Nix (2) such that the method of the combination of Miyabayashi, VASS, and Nix includes performing, by the first device and based on providing the limited connectivity to the second device, an authentication procedure with the second device.  One would have been motivated to make such combination in order to supports mutual authentication in order to securely authenticate a device and an initiator before transferring network access credentials to the device (Nix (2), Col. 2, lines 45-48).
	The combination of Miyabayashi, VASS, Nix, and Nix (2) does not explicitly teach a method maintaining, by the first device and based on the authentication procedure being successful, the network connection.
 	In the same field of endeavor Perlman teaches
	maintaining, by the first device and based on the authentication procedure being successful, the network connection (Para [0032] Referring to FIG. 2, the system includes a first node identified as Node A 160, a second node that is identified as Node B 162, and an ephemerizer 164. Node A 160, Node B 162 and the ephemerizer 164 are communicably coupled via a network 166 to permit communication among the nodes and the ephemerizer).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, VASS, Nix, and Nix (2) to incorporate the teachings of Perlman such that the method of the combination of Miyabayashi, VASS, Nix, and Nix (2) includes maintaining, by the first device and based on the authentication procedure being successful, the network connection.  One would have been motivated to make such combination so that node A 160, Node B 162 and the ephemerizer 164 are communicably coupled via a network 166 to permit communication among the nodes and the ephemerizer (Perlman, Para [0032]).
	Regarding Claim 3, the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	wherein the authentication procedure is performed based on using one or more ephemeral keys (Nix (2), Col. 6, lines 21-27, In a first initiator mode, the DPP server can then conduct a series of steps in order to generate data for a Device Provisioning Protocol (DPP) authorization request. The DPP server can derive an initiator ephemeral PKI key pair. The DPP server can conduct a first initiator ECDH key exchange with the responder bootstrap public key and the derived initiator private key to derive a key k1).
	The combination/rational to combine the references is similar to the claim 1 above.
	Regarding Claim 4, the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	The method of claim 1, further comprising: maintaining the network connection based on the authentication procedure being successful (Perlman, Para [0032] Referring to FIG. 2, the system includes a first node identified as Node A 160, a second node that is identified as Node B 162, and an ephemerizer 164. Node A 160, Node B 162 and the ephemerizer 164 are communicably coupled via a network 166 to permit communication among the nodes and the ephemerizer).
	The combination/rational to combine the references is similar to the claim 1 above.
	Regarding Claim 5, the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	The method of claim 1, further comprising: determining a keyset from one or more shared secrets that are calculated based on a private ephemeral key and a public key included in the certificate (Perlman, Para [0037] Following receipt of the above-identified transmission from Node B 162, the ephemerizer 164 decrypts the second secret key (SK2) using the ephemeral private key assuming that the ephemeral key has not expired as depicted in step 214); and
	encrypting, based on the keyset, communications via the network connection (Miyabayashi, Para [0317] “With a WPS network, data is encrypted at the time of authenticating each device. That is to say, information and network certificates are exchanged securely within space by employing the extensible authentication protocol (EAP)”).
	The combination/rational to combine the references is similar to the claim 1 above.
	Regarding Claim 7, the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	wherein the authentication procedure comprises: calculating a first receipt based on deriving a keyset from one or more shared secrets, wherein the one or more shared secrets are based on one or more keys included in the certificate (Perlman, Para [0035] The operation of the system is illustrated by reference to FIGS. 2 and 4a-4c. It is assumed for purposes of illustration that Node A 160 desires to send an ephemeral message to Node B 162, that is, a message that will become undecipherable after some time. … Node B then decrypts [X,Eph-Public Key]B-Public Key with Node B's private key to obtain X and the ephemeral public key as illustrated in step 208. Node B 162 then generates or obtains a second secret key SK2 for use in communicating with the ephemerizer 164 as depicted in step 210. The second secret key SK2 comprises a temporary key); and
	determining that the first receipt matches a second receipt included in an authentication response from the second device (Perlman, Para [0037] Following receipt of the above-identified transmission from Node B 162, the ephemerizer 164 decrypts the second secret key (SK2) using the ephemeral private key assuming that the ephemeral key has not expired as depicted in step 214).
	Regarding Claim 8,
Claim 8 is rejected for similar reasons as in claim 1.
	In addition, Miyabayashi teaches
	A first device, comprising: one or more processors (Para [0068] As shown in FIG. 2, the communication devices 100 and 200 are principally configured of antennas 102 and 106, proximity communication unit 104, short-range communication unit 108, control unit 110, RAM (Random Access Memory) 112, ROM (Read Only Memory) 114, flash memory 116, input unit 118, …The function of the control unit 110 is realized, for example, by a control circuit 712, controller 722, or CPU 902).
	Regarding Claims 10 and 17,
Claims 10 and 17 are rejected for similar reasons as in claim 3.
	Regarding Claims 11 and 18,
Claims 11 and 18 are rejected for similar reasons as in claim 4.
	Regarding Claims 12 and 19,
Claims 12 and 19 are rejected for similar reasons as in claim 5.
	Regarding Claim 14,
Claim 14 is rejected for similar reasons as in claim 7.
	Regarding Claim 15,
Claim 15 is rejected for similar reasons as in claim 1.
 Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of VASS et al. (US 20200204527), hereinafter VASS in view of Nix (US 20190313246), hereinafter Nix in view of Nix (US 10169587), hereinafter Nix (2) in view of Perlman (US 20020191797), hereinafter Perlman in view of Getschmann et al. (US 20180205722), hereinafter Getschmann.
	Regarding Claim 2, the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	The combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman does not explicitly teach dropping the network connection based on determining whether the certificate associated with the second device is signed by the certificate authority.
 	In the same field of endeavor, Getschmann teaches
	dropping the network connection based on determining whether the certificate associated with the second device is signed by the certificate authority (Para [0045] The SeGW node utilized for access to the MPC may therefore provide IPsec termination points which can authenticate the Factory Digital Certificate as well as the Operational Digital Certificates to be utilized by remote Access Cells. The SeGW IPsec endpoint should therefore be able to authenticate Factory Digital Certificates issued to Access Nodes. Para [0070] In some embodiments, upon failure, the CertMgr may continue to attempt to update the OPERATIONAL certificate until the current certificate fails to be valid and communication with the operator's network is terminated).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman to incorporate the teachings of Getschmann such that the method of the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman includes dropping the network connection based on determining whether the certificate associated with the second device is signed by the certificate authority.  One would have been motivated to make such combination so that if the current certificate fails to be valid, communication with the operator's network is terminated (Getschmann, Paragraph [0070]).
	Regarding Claims 9 and 16,
Claims 9 and 16 are rejected for similar reasons as in claim 2.
Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Miyabayashi et al. (US 20090222659), hereinafter Miyabayashi in view of VASS et al. (US 20200204527), hereinafter VASS in view of Nix (US 20190313246), hereinafter Nix in view of Nix (US 10169587), hereinafter Nix (2) in view of Perlman (US 20020191797), hereinafter Perlman in view of Bao et al. (US 20100250922), hereinafter Bao.
	Regarding Claim 6, the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman teaches all the limitations of claim 1 above,
	The combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman does not explicitly teach wherein the limited connectivity allows external connectivity to at least one of: renew the certificate with an appropriate certificate authority, update a certificate revocation list, or reattempt the authentication procedure.
 	In the same field of endeavor, Bao teaches
	wherein the limited connectivity allows external connectivity to at least one of: renew the certificate with an appropriate certificate authority, update a certificate revocation list, or reattempt the authentication procedure (Para [0061], … If the certificate of the trust bridge 205 is revoked by either CA_A or CA_C, all inter-organizational trust links previously established through the trust bridge 205 will have to be deconstructed and reestablished through another trust bridge. Para [0072], … Validity of the certification may, for example, be subject to time and space constraints. Scope of authority may be governed by a predetermined policy. In view of the limited validity and scope, some embodiments disallow renewal or update of the cross-signed certificates. However, the cross-signed certificates may be extended to newly joined devices as long as the certificate validity periods have not expired).
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman to incorporate the teachings of Bao such that the method of the combination of Miyabayashi, VASS, Nix, Nix (2), and Perlman includes dropping the network connection based on determining whether the certificate associated with the second device is signed by the certificate authority.  One would have been motivated to make such combination so that if the certificate of the trust bridge is revoked by either CA_A or CA_C, all inter-organizational trust links previously established through the trust bridge will have to be deconstructed and reestablished through another trust bridge (Bao, Paragraph [0061]).
	Regarding Claims 13 and 20,
Claims 13 and 20 are rejected for similar reasons as in claim 6.
 Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAMID TALAMINAEI whose telephone number is (571)270-3283. The examiner can normally be reached Flexible, M-F 7:30 -5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HAMID TALAMINAEI/Examiner, Art Unit 2436                                                                                                                                                                                                        
/AMIE C. LIN/Primary Examiner, Art Unit 2436