DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
2. The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A non-statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

3. Claims 21-41 of the instant application are provisionally rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-20 of the US patent no.11,240,240.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the current application encompass the same subject matter as the patent application, but with obvious wording variations. This is a non-statutory double patenting rejection.

Claim Rejections - 35 USC § 103
4.   The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.   Claims 21-41 are rejected under 35 U.S.C. 103 as being unpatentable over Smith (US Pub.No.2009/0037729) in view of Glazemakers (US  Pub.No.2016/0099916).

6.   Regarding claims 21, 28 and 35 Smith teaches a system and a method and a non-transitory computer-readable storage medium with multi-zoned security, the system comprising: a triage zone is adapted to obtain an authentication request associated with a client device, the triage zone including: an identity manager to, upon successful validation in association with the authentication request,  generate an ephemeral token and  enable an associated dynamic certificate set to expire at a specific time (Figs.1-2,4, Para:0023-0025 and Para:0070-0071 teaches a user requests access through one of workstations 102A-N to one or more resources coupled to computer network 100. The resources include login access to computer network 100. The resources also include access to communicate with another workstation on computer network 100. In response, the workstation prompts the user for a set of credentials necessary to gain access to the computer network 100. The set of credentials includes, one or more of the following: user ID, passwords, PINs, and biometrics. Upon receiving the credentials, the workstation communicates to gating authentication server 120 [triage zone herein] a request to authenticate the requested access based on the provided credentials. The gating authentication server 120 will look up the user ID in a database and then compare the expected PIN to the one supplied. If they match then the user is considered to have passed authentication. Para: 0027 and Para: 0073-0075 teaches the authenticated credentials are provided to the PKI authentication server 130 [identity manager herein] with a request to generate a temporal certificate [dynamic certificate] and a temporal key pair [ephemeral token] to complete the requested logon. The certificate and the key pair are referred to as temporal because they are generated to have a life span that is much shorter than a typical certificate generated by a certificate authority. Para:00050 teaches the key/certificate storage system 250 stores the newly-generated temporal keys and temporal certificate);

and to create or update a storage entry based on the dynamic certificate, wherein the ephemeral token is adapted to be provided to the client device to allow access based on the associated dynamic certificate (Para: 0075-0078 teaches generating a private/public key pair as temporal keys and generating a temporal certificate, based on the authenticated credentials, and storing the newly-generated temporal keys and temporal certificate. Determining if the temporal certificate is valid. If the temporal certificate is valid, granting the user access to the computer network. If the certificate is not valid, denying access to the computer network);

But Smith does not expressly teach a production zone that is logically or physically separate from the triage zone, the production zone is adapted to: establish a connection with the client device based on the dynamic certificate, ephemeral token, and a username ; and verify, by accessing the stored entry, that the authentication request provided by the client device is valid.
           Glazemakers teaches a production zone that is logically or physically separate from the triage zone, the production zone is adapted to: establish a connection with the client device based on the dynamic certificate, ephemeral token, and a username ; and verify, by accessing the stored entry, that the authentication request provided by the client device is valid (Fig.1 and Para:0034-0038 teaches to control access by the client’s 121, 122 to the application servers 141-143, the gateway 100 includes a tunnel module 101 [triage zone]  for establishing networking tunnels upon request by the client’s 121, 122 in the external network 180. A tunnel is established upon request of a client 121, 122, thereby providing tunnel authentication information to the tunnel module 101. The authentication information includes username, password, biometrics, two-factor authentication, and/or other cryptographic methods. The tunnel authentication module 105 verifies the tunnel authentication information and, if the authentication is successful, the networking tunnel 181, 182  is established with the respective client. The gateway 100 in fig.1 includes a firewall 102 [production zone herein] for controlling the network traffic between the client’s 121, 122 and the application servers 141-143 after the respective tunnels 181, 182 have been established. The firewall 102 may control such traffic according to firewall rules provided by the firewall configuration module 103. The firewall configuration module 103 obtains the firewall rules from client access lists received from the respective clients 121, 122 which, in turn, receive the client access list from the authentication server 160. The firewall rules allow a client 121, 122 to establish and maintain network connections with the application servers 141, 142 and 143. The selection of which application servers 141-143 the client 121, 122 can access to can be determined from the client access list from which the firewall rules are also obtained. The firewall rules may include any desired information. In some embodiments, for example, the firewall rules include entitlement tokens that define the information clients may have access to. Such entitlement tokens may be used to configure a firewall to not only grant/deny network traffic access, but also access to various files e.g., that are classified (contain metadata) as highly confidential.
Para:0051-0052 teaches the authentication server 160 includes a signature module 164 for creating digitally-signed lists, such as a signed client access list and signed client tunnel list. The digital signatures [certificate] generated by the signature module 164 can be verified by the signature verification module 104 in the gateway 100 upon reception of the client access and tunnel list. The signature may be generated and verified by a signature key shared between the gateway and the authentication server 160 such that the client access list and client tunnel list is not alterable by the client’s 121, 122 without the gateway 100 notifying the authentication server 160. In one exemplary embodiment, X.509 certificates using a private/public key mechanism are employed to verify the certificate). 

It would have been obvious to one of the ordinary skill in the art before the invention was filed to modify Smith to include a production zone gateway to establish a connection with the client device based on the dynamic certificate, ephemeral token, and a username; verify, that the dynamic certificate provided by the client device is valid as taught by Glazemakers such a setup would authenticate and verify the user and the device.

7.   Regarding claims 22, 29 and 36 Smith in view of Glazemakers teaches the system, the method and the non-transitory computer-readable storage medium wherein the authentication request is verified using a common name associated with the dynamic certificate (Smith: Para: 0024-0026, Para: 0045 teaches the authentication package includes username, PIN, biometric, previously generated certificates and key (token) and verifying the authentication package based on the request. 
Glazemakers: Para:0040-0040 and Para:0051-0054 teaches the authentication request is verified using the common name associated with the certificate). 

8.    Regarding claims 23, 30 and 37 Smith in view of Glazemakers teaches the system, the method and the non-transitory computer-readable storage medium wherein successful validation comprises validating a correct username and password, validating a last token or validating a fingerprint (Smith: Para: 0024-0026, Para: 0045 and Para: 0076 teaches the authentication package includes username, PIN, biometric, previously generated certificates and key (token) and verifying/validating the authentication package). 

9.    Regarding claims 24,31 and 38 Smith in view of Glazemakers teaches the system, the method and the non-transitory computer-readable storage medium wherein the client device establishes a connection to the triage zone using a static certificate  and the ephemeral token (Smith: Para:0027-0029 and Para:0032-0033 teaches establishing connection using the issued certificate and key (token)) .

10.   Regarding claims 25,32 and 39 Smith in view of Glazemakers teaches the system, the method and the non-transitory computer-readable storage medium, wherein the client device establishes a subsequent connection to the triage zone using a rolling token (Smith: Para:0023-0025 and Para:0070-0075 teaches a user requests access through one of workstations 102A-N to one or more resources coupled to computer network 100. The resources include login access to computer network 100. The resources also include access to communicate with another workstation on computer network 100. In response, the workstation prompts the user for a set of credentials necessary to gain access to the computer network 100. The set of credentials includes, one or more of the following: user ID, passwords, PINs, and biometrics. Upon receiving the credentials, the workstation communicates to gating authentication server 120 [triage zone herein] a request to authenticate the requested access based on the provided credentials. The gating authentication server 120 will look up the user ID in a database and then compare the expected PIN to the one supplied. If they match then the user is considered to have passed authentication. Para: 0027 and Para: 0073-0075 teaches the authenticated credentials are provided to the PKI authentication server 130 [identity manager herein] with a request to generate a temporal certificate [dynamic certificate] and a temporal key pair [ephemeral token] to complete the requested logon. The certificate and the key pair are referred to as temporal because they are generated to have a life span that is much shorter than a typical certificate generated by a certificate authority.).

11.    Regarding claims 26,33 and 40 Smith in view of Glazemakers teaches the system, the method and the non-transitory computer-readable storage medium, wherein the rolling token is refreshed using an identity loop established with the first identity manager or the production zone (Smith: Para:0081, 0083 teaches receiving a request for authenticated access to a computer network, prompting for at least one user credential, receiving at least one credential in response to the prompt, validating the received at least one credential by providing an authenticated credentials if the received at least one credential is valid, requesting a temporal private/public key pair and a temporal certificate, wherein requesting includes submitting the authenticated credentials, receiving the authenticated credentials and generating a temporal private/public key pair and a temporal certificate associated with the authenticated credentials upon receipt of the authenticated credentials, and granting authenticated access to the computer network using the temporal certificate and the temporal private/public key pair. Para: 0073-0075 teaches the authenticated credentials are provided to the PKI authentication server 130 [identity manager] with a request to generate a temporal certificate [dynamic certificate] and a temporal key pair [ephemeral token] to complete the requested logon. The certificate and the key pair are referred to as temporal because they are generated to have a life span that is much shorter than a typical certificate generated by a certificate authority).

12.   Regarding claims 27,34 and 41 Smith in view of Glazemakers teaches the system, the method and the non-transitory computer-readable storage medium, wherein verifying that the authentication request provided by the client is valid comprises verifying that a common name associated with the authentication request matches the stored entry and the dynamic certificate is enabled (Smith: Para: 0024-0026, Para: 0045 teaches the authentication package includes username, PIN, biometric, previously generated certificates and key (token) and verifying the authentication package. 
Glazemakers: Para:0040-0040 and Para:0051-0054 teaches the authentication request is verified using the common name associated with the certificate in the storage). 

                                                                Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431