DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04 November 2022 has been entered.
The Amendment filed 30 June 2022 has been received and considered.
Claims 1, 2, and 7-13, 16-18, and 21-27 are pending.
This action is Non-Final.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 15 September 2022 and 26 September 2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Interpretation
The claim interpretation “credential module operable to…” recited in claims 1 and 2 has been agreed upon and invoking 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.  The remaining text in this section is repeated for clarity of the record.
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “credential module operable to…” explicitly recited in claims 1 and 2.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
NOTE: the limitations have proper structure put forth in the specification.
NOTE: If these claims were not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph they would be considered software alone and therefore directed to non-statutory subject matter under 35 U.S.C. 101.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2 and 7-13, 16, 17, and 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Conrad et al. (US 20160036788) in view of Neafsey et al. (US 20130212661) and further in view of Bliding et al. (US 20120213362).
As per claims 1, 2, 7, 11-13, 16, and 17, Conrad et al. discloses an access control system, comprising: 
a credential service operable to generate an encrypted programming credential (see paragraph [0056] where the server generates a new key pair and encrypts it before sending it to the mobile device and/or encrypting the firmware update); 
an installer mobile application on a mobile device operable to communicate with the credential service, the installer mobile application operable to receive/download the encrypted programming credential from the credential service (see paragraph [0056] where the mobile device receives the encrypted information and see paragraph [0063] numeral 506 for the mobile application); 
a credential module for an access control, the credential module operable to extract programming data from the encrypted programming credential, the programming data usable to program the access control, wherein the credential module is operable to decrypt and validate the encrypted programming credential and is operable to set a lock encryption key or roll a lock encryption key, wherein the mobile device is configured to send the encrypted programming credential to the credential module (see paragraph [0056], “the lock may decrypt the encrypted new key pair using the old secret key and verify the data.  If successful, the lock may access the new secret key from the decrypted new key pair, and then store the new secret key to be used in future interactions” where the interactions include unlocking the lock as described in paragraph [0054]); and 
downloading, decrypting, and extracting the programming data to a smartphone (see paragraph [0056]).
Conrad et al. discloses downloading the encrypted credential to a mobile device and the access control is a lock (see paragraph [0056]), but fails to explicitly disclose the encrypted programming data is downloaded using the installer app and that the encrypted programming data identical to a card meta-data physically encoded on a physical key card and as such the mobile device includes a key card.
However, Neafsey et al. teaches downloading encrypted programming data is downloaded from a credential service (see paragraphs [0073]-[0079] and [0058]-[0059]) and that the encrypted programming data identical to a card meta-data physically encoded on a physical key card and as such the mobile device includes a key card (see paragraphs [0024], [0059], and [0070]-[0072] where the virtual credential is able to be programmed on physical cards and emulates the credential and therefore must be identical to data encoded on a physical key card).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the credential and app of Neafsey et al. as part of the Conrad et al. system.
Motivation to do so would have been to simplify the programming of offline electronic locks and simplify the distribution of credentials to offline lock users (see Neafsey et al. paragraph [0079]).
While the modified Conrad et al. and Neafsey et al. system disclose the use of encrypted programming data that is decrypted, it is not explicitly discloses the credential module within the access control decrypts and extracts the programming data.
However, Bliding et al. teaches a system where a server encrypts access data (i.e. programming data), sends this encrypted access data to a mobile device, which in turns sends the encrypted access data to the lock where it is decrypted, extracted and installed (see paragraphs [0011]-[0013] where the programming/circuitry within the lock must decrypt it to be used).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to perform the decryption within the lock itself.
Motivation to do so would have been so there is no security risk to store the data in the mobile device, i.e. the mobile device cannot decrypt and expose the access data (see Bliding et al. paragraph [0011]).
As per claims 8-10, the modified Conrad et al., Neafsey et al., and Bliding et al. system teaches the access control is a lock (see Conrad et al. paragraphs [0054] and [0056] and Neafsey et al. paragraphs [0068]-[0076] where it is noted that claim 9 is directed to intended use which is not given patentable weight).
As per claims 22-25, the modified Conrad et al., Neafsey et al., and Bliding et al. system discloses the credential module is a component of the access control, wherein the mobile device is configured to send the encrypted programming credential to the credential module unmodified and as received from the credential service (see Bliding et al. paragraphs [0011]-[0013]).
Claims 18, 21, 26, and 27 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Conrad et al. and Neafsey et al. system in view of Gerhardt et al. (US 20120280783).
As per claim 18, Conrad et al. discloses a method of managing credentials for a mobile device, the method comprising: 
downloading an encrypted programming credential (see paragraph [0056]) and an encrypted mobile credential to a mobile device (see paragraph [0054] the encrypted profile); 
communicating the encrypted programming credential to a credential module in an access control; decrypting and validating the encrypted programming credential; extracting the programming data from the encrypted programming credential; communicating the programming data from the credential module to program the access control (see paragraph [0056] as applied to claims 1, 2, and 13 above); 
communicating the encrypted mobile credential to the credential module in an access control subsequent to communicating the programming data from the credential module to program the access control, wherein the programming data contains instructions to set a lock encryption key or to roll a lock encryption key (see paragraph [0056] where the updated keys are used for “future interactions” and paragraph [0054] showing the communicating of the encrypted mobile credential); 
decrypting and validating the encrypted mobile credential; extracting the data from the encrypted mobile credential; and communicating the data from the credential module to operate the access control as a “card read” (see paragraph [0054]);
downloading, decrypting, and extracting the programming data to a smartphone (see paragraph [0056]).
Conrad et al. discloses downloading the encrypted credential to a mobile device and the access control is a lock (see paragraph [0056]), but fails to explicitly disclose the encrypted programming data is downloaded using the installer app and that the encrypted programming data identical to a card meta-data physically encoded on a physical key card and as such the mobile device includes a key card.
However, Neafsey et al. teaches downloading encrypted programming data is downloaded from a credential service (see paragraphs [0073]-[0079] and [0058]-[0059]) and that the encrypted programming data identical to a card meta-data physically encoded on a physical key card and as such the mobile device includes a key card (see paragraphs [0024], [0059], and [0070]-[0072] where the virtual credential is able to be programmed on physical cards and emulates the credential and therefore must be identical to data encoded on a physical key card).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the credential and app of Neafsey et al. as part of the Conrad et al. system.
Motivation to do so would have been to simplify the programming of offline electronic locks and simplify the distribution of credentials to offline lock users (see Neafsey et al. paragraph [0079]).
While the modified Conrad et al. and Neafsey et al. system disclose the use of encrypted programming data that is decrypted, it is not explicitly discloses the credential module within the access control decrypts and extracts the programming data.
However, Bliding et al. teaches a system where a server encrypts access data (i.e. programming data), sends this encrypted access data to a mobile device, which in turns sends the encrypted access data to the lock where it is decrypted, extracted and installed (see paragraphs [0011]-[0013] where the programming/circuitry within the lock must decrypt it to be used).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to perform the decryption within the lock itself.
Motivation to do so would have been so there is no security risk to store the data in the mobile device, i.e. the mobile device cannot decrypt and expose the access data (see Bliding et al. paragraph [0011]).
While the modified Conrad et al., Neafsey et al., and Bliding et al. system discloses the use of a virtual credential (see Neafsey et al. paragraph [0070]-[0072]), there lacks an explicit disclosure that the data is virtual card data communicated as a virtual card read.
However, Gerhardt et al. teaches reading virtual card data as part of a mobile device credential (see paragraphs [0009], [0075] and [0135]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to read the data of the modified Conrad et al., Neafsey et al., and Bliding et al. system as virtual card data.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been so that the mobile device key cards can be used with legacy locks.
As per claim 21, the modified Conrad et al., Neafsey et al., Bliding et al., and Gerhardt et al. system discloses (with the same motivation as put forth above) the encrypted mobile credential includes an access category in addition to a mobile credential with the virtual card data for a specific access control (see Conrad et al. paragraph [0054] and Gerhardt et al. paragraph [0135]).
As per claims 22-25, the modified Conrad et al., Neafsey et al., Bliding et al., and Gerhardt et al. system discloses the credential module is a component of the access control, wherein the mobile device is configured to send the encrypted programming credential to the credential module unmodified and as received from the credential service (see Bliding et al. paragraphs [0011]-[0013]).

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 2, and 7-13, 16-18, and 21-27 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to mobile devices controlling locks.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Michael Pyzocha/Primary Examiner, Art Unit 2419