DOWNLOAD OF A SUBSCRIPTION PROFILE TO A COMMUNICATION DEVICE

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment This office action has been changed in response to the amendment filed on 12/8/2025. Claims 1, 25, 35, 39 and 40 have been amended. Claim 13-15 have been cancelled. Response to Arguments Applicant's arguments filed 12/8/2025 have been fully considered but they are not persuasive. In response to the Applicant’s argument that Park fails to disclose or suggest “downloading the subscription profile only if the second authorization information, according to a matching criterion, matches the first authorization secret” (Page 16), the Examiner respectfully disagrees. Park discloses in Fig. 6A [658 & 660] that the eUICC (Fig. 6A [630]) verifies the information (Fig. 6 [654]) received from the server (Fig. 6A [610]) matches the first authorization secret. (Page 11 [0201] and Fig. 6A i.e. that DP-_Sign1 matches eUICC-_Challenge and that “The eUICC 630 verifies the certificate of the profile providing server. The verification may be a signature verification scheme using a CI certificate or a public key of the CI certificate which are stored in the eUICC 630”) Once the matching verification occurs, then the eUICC sends the OK to download to the terminal Fig. 6A [660] which triggers the download request. (Fig. 6B [662]) Accordingly, the Examiner respectfully disagrees with the Applicant’s assertion. In response to the Applicant’s argument regarding the newly incorporated limitations from claims 13-15 (Pages 16-17), it is noted that the previous rejection of claims 13-15 was based on the combination of teachings found in Park in view of Johansson. Since the arguments are directed to Park alone, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In response to the Applicant’s arguments that Park teaches away (Pages 18), the alleged citations from Park (Page 18 citing paragraphs [0226, 0223 & 0119]), it is noted that the citations found in the Applicant’s arguments do not match Park et al. (US-2019/0268765) and accordingly, the Examiner is not persuaded by the Applicant’s argument. In response to the Applicant’s argument with respect to claims 25, 35 and 40 that Park completely fails to disclose or suggest “the second authorization secret derivable, by the subscription management entity, from the third authorization secret” (Page 19), again the citations found in the Applicant’s arguments (PME 400, MNO entity 200, batch identifier) are not found in Park et al. (US-2019/0268765) and accordingly, the Examiner is not persuaded by the Applicant’s argument. The remainder of the Applicant’s arguments are based on Johansson or Leedom failing to cure the alleged deficiencies of Park. The Examiner respectfully disagrees as discussed above. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-4, 18-20, 22, 23, 25-31, 35, 39 and 40 are rejected under 35 U.S.C. 102(a) as being anticipated by Park et al. (US-2019/0268765 hereinafter, Park). Regarding claim 1, Park discloses a method for subscription profile download (Abstract), the method being performed by a communication device (Fig. 6A [620]), the communication device being configured with a first authorization secret (Fig. 6A [646] and Page 10 [0194]), the method comprising: receiving, as part of performing a subscription profile download procedure (Page 10 [0189]), second authorization information from a subscription management entity (Page 10 [0199] and Fig. 6A [656]), wherein the second authorization information is generated using a second authorization secret; (Page 10 [0198]) and downloading the subscription profile only if the second authorization information, according to a matching criterion, matches the first authorization secret (Page 11 [0201] and Fig. 6 [658, 660]) the second authorization information identical to the second authorization secret, and, in accordance with the matching criterion, the second authorization information matches the first authorization secret only when the second authorization secret is identical to the first authorization secret; or the second authorization information is a second MAC computed by the subscription management entity using the second authorization secret and a piece of data, the piece of data being received by the communication device from the subscription management entity, and the communication device computes a first MAC on the piece of data using the first authorization secret as key, and, in accordance with the matching criterion, the second authorization information matching the first authorization secret only when the second MAC is identical to the first MAC; or the second authorization information being data as encrypted by the subscription management entity using the second authorization secret as key (Page 11 [0201-0202] “The eUICC 630 verifies the certificate of the profile providing server. The verification may be a signature verification scheme using a CI certificate or a public key of the CI certificate which are stored in the eUICC 630. The signature verification may be verification using the public key selected by using the information included in the Cert_ToBe_use.” Note: that is signed/hashed and has to be computed by the eUICC), the first authorization secret used by the communication device for decrypting the second authorization information (Fig. 6A [658] and Page 11 [0202]) and, in accordance with the matching criterion, the second authorization information matches the first authorization secret only when the communication device is able to decode the piece of data and verify correctness of the data as decrypted. (Page 11 [0201] “If the verification passes, the eUICC 630 verifies the received Sign_DP1. The verification may be a signature verification using the public key included in the certificate of the profile providing server. If the verification passes, the eUICC 620 authenticates the profile providing server”) Regarding claim 2, Park teaches wherein the first authorization secret is preconfigured in the communication device. (Page 11 [0201] “The verification may be a signature verification scheme using a CI certificate or a public key of the CI certificate which are stored in the eUICC 630”) Regarding claim 3, Park teaches wherein the first authorization secret is obtained by the communication device from a managing entity. (Page 11 [0201] “ The signature verification may be verification using the public key selected by using the information included in the Cert_ToBe_use.”) Regarding claim 4, Park teaches wherein the first authorization secret is generated by the communication device. (Page 10 [0194]) Regarding claim 18, Park teaches wherein the second authorization information equals the second authorization secret, and wherein the second authorization secret is received encrypted from the subscription management entity. (Page 10 [0199] and Page 11 [0201]) Regarding claim 19, Park teaches wherein the subscription management entity is an SM-DS entity. (Page 3 [0050]) Regarding claim 20, Park teaches wherein the second authorization information is received together with an event record providing subscription profile download information. (Pages 10-11 [0199-0204] “the eUICC 630 may transfer eUICC authentication information to the terminal 620. The eUICC authentication information may include at least one of the disposable public key of the eUICC, the address of the profile providing server”) Regarding claim 22, Park teaches wherein the subscription management entity is an SM-DP+ entity. (Page 3 [0049]) Regarding claim 23, Park teaches wherein the second authorization information is received in a subscription profile download message from the subscription management entity. (Fig. 6 [610], Page 10 [0199] and Page 3 [0049]) Regarding claim 25, Park teaches a method for enabling subscription profile download to a communication device (Abstract), the method being performed by a subscription management entity (Fig. 9A [920]), the method comprising: obtaining, from a mobile network operator entity or a second subscription management entity (Fig. 9a [915]), a message for preparing for download (Fig. 9a [947]) of a subscription profile for the communication device (Fig. 9a [925]), the message comprising a third authorization secret for the communication device; (Fig. 9a [943 & 947]) and providing, as part of performing a subscription profile download procedure, second authorization information to the communication device (Fig. 9A [961] “EventResponse”), the second authorization information is generated using a second authorization secret (Fig. 9A [959]), the second authorization secret is derivable, by the subscription management entity, from the third authorization secret. (Fig. 9A [957] “EventID”, Page 14 [0248-0249] and Page 10 [0190-0199] i.e. in detail description relating to Fig. 6A/6B, the EventID and how Fig. 9A [959] can be derived from a third authorization secret, see specifically [0198-0199]) Regarding claim 26, Park teaches wherein the second authorization information equals the second authorization secret, and wherein the second authorization secret is encrypted by the subscription management entity before being provided to the communication device. (Page 10 [0199] and Page 11 [0201]) Regarding claim 27, Park teaches wherein the message comprises an EID of the communication device for which the subscription profile is intended (Page 5 [0075, 0076 & 0082]), the method further comprises: receiving, from the communication device, the EID; (Fig. 3A [322 & 323] and Page 8 [0138]) and wherein the second authorization information is provided to the communication device when the subscription management entity has verified that the EID received from the communication device matches and EID of the communication device as received from the mobile network operator entity. (Page 6 [0099-0101] and [0102-0109]) Regarding claim 28, Park teaches wherein the subscription management entity is a SM-DS entity (Page 3 [0050]), wherein the second subscription management entity is a SM-DP+ entity (Page 3 [0049]), and wherein the message is a request from the SM-DP+ entity to register an event containing subscription profile download information at the SM-DS entity. (Page 3 [0049-0050] and Fig. 7 [715, 720 and 770]) Regarding claim 29, Park teaches wherein the second authorization information is received together with an event record providing subscription profile download information. (Pages 10-11 [0199-0204] “the eUICC 630 may transfer eUICC authentication information to the terminal 620. The eUICC authentication information may include at least one of the disposable public key of the eUICC, the address of the profile providing server”) Regarding claim 30, Park teaches wherein the subscription management entity is a SM-DP+ entity (Page 3 [0049]), and wherein the message is from the mobile network operator entity (Fig. 9A [910] MNO BSS mobile network operator business support system) and confirms ordering of the subscription profile for the communication device. (Fig. 9A [945] i.e. Return Event ID based on the request, [941]) Regarding claim 31, Park teaches wherein the second authorization information is provided in a subscription profile download message from the SM-DP+ entity to the communication device. (Fig. 9A [955] “EventID”) Regarding claim 35, the limitations of claim 35 are rejected as being the same reasons set forth above in claim 25. Regarding claim 39, the limitations of claim 39 are rejected as being the same reasons set forth above in claim 1. (See additionally Fig. 12 [1200 & 1230]) Regarding claim 40, the limitations of claim 40 are rejected as being the same reasons set forth above in claim 35. (see additionally Figs. 10 and 11) Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 5, 8-16, 21, 24, 32-34 and 36-38 are rejected under 35 U.S.C. 103 as being unpatentable over Park et al. (US-2019/0268765 hereinafter, Park) in view of Johansson et al. (WO2020/035150A1 hereinafter, Johansson). Regarding claim 5, Park teaches the limitations of claim 2 above, but differs from the claimed invention by not explicitly reciting wherein the communication device has a device identifier, and wherein the first authorization secret is derived from a batch authorization secret using the device identifier. In an analogous art, Johansson teaches a method and system for handling subscription profiles for a set of wireless devices (Abstract) that includes wherein the communication device has a device identifier (Page 6 lines 16-28 “EID”), and wherein the first authorization secret is derived from a batch authorization secret using the device identifier. (Page 16 lines 7-10 and Page 15 lines 12-15) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to be motivated to implement the invention of Park after modifying it to incorporate the ability to use a device identifiers as an authorization secret as is well known from Johansson since it enables using a common batch identifier for several devices that is formatted in a similar fashion as an EID without having to bind a value to each individual device, thereby saving storage and decreasing complexity. (Johansson Page 16 lines 6-10) Regarding claim 8, Park teaches the limitations of claim 1 above, but differs from the claimed invention by not explicitly reciting performing a registration procedure with a managing entity for registering with the managing entity; and receiving a request from the managing entity to enable the subscription profile as downloaded. In an analogous art, Johansson teaches a method and system for handling subscription profiles for a set of wireless devices (Abstract) that includes performing a registration procedure with a managing entity for registering with the managing entity; (Page 15 lines 23-28) and receiving a request from the managing entity to enable the subscription profile as downloaded. (Page 15 lines 27-32) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to be motivated to implement the invention of Park after modifying it to incorporate the ability to use a management server to trigger the downloading of profiles of Johansson since the use of a bootstrapping mechanism to connect to a management server to sign up for a cellular service is well known in the art. Regarding claim 9, Park in view of Johannson teaches wherein the performing a registration procedure with a managing entity comprises establishing secure communication with the managing entity (Page 2 line 32 through Page 3 line 5) and wherein the credentials for establishing secure communication are obtained from the subscription profile as downloaded. (Johannson Page 4 lines 28-30) Regarding claim 10, Park in view of Johannson teaches wherein the method for comprises deriving an authorization secret from the first authorization secret using an identifier individual per subscription profile download (Johannson Page 16 lines 6-23), and wherein, in accordance with the matching criterion, the first authorization secret is replaced by the derived authorization secret in the matching. (Johannson Page 16 lines 6-23) Regarding claim 11, Park in view of Johannson teaches receiving from the subscription management entity the identifier individual per subscription profile download. (Johannson Page 17 lines 13-32 and Page 18 lines 1-12) Regarding claim 12, Park in view of Johannson teaches wherein the identifier individual per subscription profile download comprises a Matching ID or a transaction ID. (Johannson Page 25 lines 18-26 “matching identifier”) Regarding claim 13, Park in view of Johannson teaches wherein the second authorization information is identical to the second authorization secret, and wherein, in accordance with the matching criterion, the second authorization information matches the first authorization secret only when the second authorization secret is identical to the first authorization secret. (Johannson Page 31 lines 9-12 i.e. the event identifier is used as the matching identifier and Park Page 11 [0201] and Fig. 6 [658, 660]) Regarding claim 14, Park in view of Johannson teaches wherein the second authorization information is a second MAC computed by the subscription management entity using the second authorization secret and a piece of data (Johannson Page 27 lines 24-26, Fig. 8 [S308ab] and Fig. 3 [AuthenticateClient]), the piece of data being received by the communication device from the subscription management entity (Johannson Page 26 lines 9-12 “common confirmation code”), and wherein the communication device computes a first MAC on the piece of data using the first authorization secret as key (Johannson Page 27 lines 24-26), and wherein, in accordance with the matching criterion, the second authorization information matches the first authorization secret only when the second MAC is identical to the first MAC. (Johannson Fig. 7 [S206e] and Pages 43-44 line 22 through line 2) Regarding claim 15, Park in view of Johannson teaches wherein the second authorization information is data as encrypted by the subscription management entity using the second authorization secret as key (Park Page 11 [0201-0202] “The eUICC 630 verifies the certificate of the profile providing server. The verification may be a signature verification scheme using a CI certificate or a public key of the CI certificate which are stored in the eUICC 630. The signature verification may be verification using the public key selected by using the information included in the Cert_ToBe_use.” Note: that is signed/hashed and has to be computed by the eUICC), wherein the first authorization secret is used by the communication device for decrypting the second authorization information (Park Fig. 6A [658] and Page 11 [0202]) and wherein, in accordance with the matching criterion, the second authorization information matches the first authorization secret only when the communication device is able to decode the piece of data and verify correctness of the data as decrypted. (Park Page 11 [0201] “If the verification passes, the eUICC 630 verifies the received Sign_DP1. The verification may be a signature verification using the public key included in the certificate of the profile providing server. If the verification passes, the eUICC 620 authenticates the profile providing server”) Regarding claim 16, Park in view of Johansson teaches wherein the communication device, to the subscription management entity, sends data as encrypted using the first authorization secret as key (Park Fig. 6A [658] “Generate eUICC_Sign1” and Page 11 [0202]), wherein the second authorization secret is used by the subscription management entity for decrypting the piece of data (Park Fig. 6B [664] “Verify eUICC” and Pages 11-12 [0205-0208]), wherein the second authorization information equals the decrypted data (Park Pages 11-12 [0208] “Only when the verification passes”), and wherein in accordance with the matching criterion, the second authorization information matches the first authorization secret only when the communication device is able to verify that the subscription management entity has successfully decrypted the piece of data. (Park Page 12 [0216]) Regarding claims 21 and 24, Park in view of Johansson teaches wherein the identifier individual per subscription profile download is received from the SM-DS entity. (Park Page 3 [0050]) Regarding claim 32, Park teaches the limitations of claim 25 above, but differs from the claimed invention by not explicitly reciting wherein the third authorization secret is identical to the second authorization secret. In an analogous art, Johansson teaches a method and system for handling subscription profiles for a set of wireless devices (Abstract) that includes performing a registration procedure with a managing entity for registering with the managing entity (Page 15 lines 23-28) and wherein the third authorization secret is identical to the second authorization secret. (Page 31 lines 9-12 i.e. the event identifier is used as the matching identifier) Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to be motivated to implement the invention of Park after modifying it to incorporate the ability to utilize the same authorization secret of Johansson since it enables a simplified verification and deriving of keys at two separate locations. Regarding claim 33, Park in view of Johansson teaches wherein the message comprises a device identifier of the communication device for which the subscription profile is intended (Johansson Page 6 lines 16-28 “EID”), wherein the third authorization secret is a batch authorization secret (Johansson Page 16 lines 7-10 and Page 15 lines 12-15), and wherein the second authorization secret is derived from the batch authorization secret using the device identifier. (Park Pages 11-12 [0208] “For the generation of the session key, certificate (CRT) information and EID information may be additionally used.”) Regarding claim 34, Park in view of Johansson teaches wherein the second authorization secret is derived from the third authorization secret using an identifier individual per subscription profile download (Johannson Pages 33-34 line 19 through line 20), and wherein the identifier individual per subscription profile download is generated by the subscription management entity, or the message comprises the identifier individual per subscription profile download. (Johannson Page 17 lines 13-32 and Page 18 lines 1-12) Regarding claims 36-38, the limitations of claims 36-38 are rejected as being the same reasons set forth above in claim 32-34. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Park in view of Johansson as applied to claim 1 above, and further in view of Leedom (US-2008/0022089). Regarding claim 17, Park in view of Johansson teaches the ability to utilize the current time at the eUICC (Park Pages 10-11 [0200]), but differs from the claimed invention by not explicitly reciting wherein the first authorization secret has a limited validity in time, wherein the validity in time is bounded by a time window, and wherein the in accordance with the matching criterion, the second authorization secret fails to match the first authorization secret when being received outside the time window. In an analogous art, Leedom teaches a wireless communication system that communicates with a remote certification authority (Abstract) that includes utilizing a secret or private key that is only valid for a limited time window. (Page 6 [0047]) Before the effective filing date, it would have been obvious to one of ordinary skill to be motivated to implement the invention of Park in view of Johansson after modifying it to incorporate the ability to utilize a time period of validity for a secret key of Leedom since only allowing a secret key to be valid for a specific period of time increases security by not allowing the secret key to be used forever. (Leedom Page 12 [0085]) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US-2017/0077975 to Wang which discloses a eUICC management method for capability and profiles US-2017/0295172 to Ahrens et al. which discloses a system and method for profiles subscription profiles to a mobile device US-2019/0335319 to Li which discloses transfer of subscription profiles between devices THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW C SAMS whose telephone number is (571)272-8099. The examiner can normally be reached M-F 8:30-5 EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matthew Anderson can be reached at (571)272-4177. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Matthew C Sams/Primary Examiner, Art Unit 2646