Office Action Predictor
Application No. 18/202,084

UNIQUE MACHINE-USER ID-SSH KEY FINGERPRINT

Final Rejection §101§103
Filed
May 25, 2023
Examiner
WILCOX, JAMES J
Art Unit
2439
Tech Center
2400 — Computer Networks
Assignee
Capital One Services, LLC
OA Round
2 (Final)
70%
Grant Probability
Favorable
3-4
OA Rounds
3y 5m
To Grant
99%
With Interview

Examiner Intelligence

70%
Career Allow Rate
424 granted / 605 resolved
Without
With
+58.8%
Interview Lift
avg trend
3y 5m
Avg Prosecution
41 pending
646
Total Applications
career history

Statute-Specific Performance

§101
15.1%
-24.9% vs TC avg
§103
55.5%
+15.5% vs TC avg
§102
14.0%
-26.0% vs TC avg
§112
7.0%
-33.0% vs TC avg
Black line = Tech Center average estimate • Based on career data

Office Action

§101 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This Office Action is in response to the Amendment filed 09/30/2025. In the instant Amendment, claims 1, 8 and 15 were amended; claims 1, 8 and 15 are independent claims. Claims 1-20 are pending in this application. THIS ACTION IS MADE FINAL. Response to Arguments Applicant’s arguments with respect to claims 1, 8 and 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Applicant’s arguments filed 09/30/2025 have been fully considered but they are not persuasive. Applicant argues that (on pages 8-13) that the 35 U.S.C. 101 rejection to claims 1-20 as being directed to an abstract idea should be withdrawn because applicant amended the independent claims to state “"combining, via concatenation, the machine ID, the user ID, and the SSH key hash for the SSH key to create a unique SSH key fingerprint for the SSH key object of the plurality of SSH key objects;" "executing a verification operation on one or more of the unique SSH key fingerprints stored in the database, the verification operation comprising comparing the stored SSH key fingerprint against a received SSH key, to determine whether the received SSH key corresponds to a valid key for accessing the host machine." Under step 2A, Prong 1, the steps of the claims cannot be performed by a human with or without pen and paper, and therefore fall outside the scope of a “mental process” abstract idea. Under step 2A, Prong 2, applicant asserts that the claims as amended recite a technical solution to a technical problem. The claims improve the functionality of computer networks by enabling a cryptographically secure, programmatic way to audit and validate SSH key installations, which is an improvement far beyond merely applying an abstract idea. Under Step 2B, the claims are amended are also patent eligible under Step 2B because they recite “significantly more” than any alleged judicial exception and present an inventive concept. The claimed invention provides a non-conventional, computer specific improvement in network security and key management. The claims recite significantly more than any judicial exception and are patent eligible under Step 2B. The Examiner respectfully disagrees with the applicant. Under step 2A, Prong One, claims 1, 8 and 15 are directed to collecting, analyzing, organizing and comparing information for the purpose of determining whether an SSH key is valid for accessing a host machine. The claim recites ingesting metadata comprising machine ID, account IDs and SSH key objects; computing a hash of a key, extracting a key has and user ID; combining identifiers and the key hash to create a unique fingerprint; indexing the fingerprint and metadata in a database; and verifying by comparing a stored fingerprint against a SSH key to determine validity. This constitutes mental processes (evaluation/comparison of information and determination of validity) and certain methods of organizing human activity (inventorying/recordkeeping of credential information) as well as mathematical concepts (computing a hash) all of which are enumerated groups of abstract ideas. The steps reflect a process that can be described at a high level as: collect credential information, derive an identifier, store and index it, and compare it to received information to determine validity, which is a form of information processing and comparison that is abstract. The claims recite an abstract idea under Step 2A, Prong One. The independent claims do not integrate the abstract idea into a practical application. The additional elements of the independent claims do not apply the abstract idea in a manner that imposes a meaningful limit beyond generally linking the abstract idea to a particular technological environment (SSH). Rather, the claim merely uses generic computer functions as a tool to perform the abstract idea. The claims additional elements such as ingesting metadata, computing a hash, indexing a database and executing a verification operation comprising comparing are recited at a high level and correspond to routine and conventional computer operations for data processing, storage, retrieval and comparison. The claims do not recite any improvement to the functioning of a computer, database, or network itself. Instead, it uses known technologies (hashing, indexing, comparing) to manage and validate SSH keys which is an abstract information processing concept implemented with generic computer components. The recitation of “secure shell (SSH)” does not integrate the abstract idea into a practical application because it amounts to limiting the use of the abstract idea to a particular technological environment which is insufficient to confer eligibility. Therefore, claims 1, 8 and 15 are not integrated into a practical application and fails, Step 2A, Prong Two. Claims 1, 8 and 15 not include additional elements that amount to significantly more than the abstract idea. The claims recite: computing a hash (a conventional cryptographic operation), concatenating identifiers (a conventional way to form a composite identifier), indexing information in a database (a generic data storage/retrieval technique) and comparing stored information to received information (a generic verification/comparison operation). These are well-understood, routine and conventional operations performed by generic components and do not reflect an unconventional arrangement of those components. The claim does not recite any specific improvement to hashing, fingerprint generation, database indexing, or verification operations, nor does it recite any particular specialized hardware or technical mechanism that changes how computers perform these operations. Thus, claim 1 does not recite “significantly more” than the abstract idea and is therefore ineligible under 35 U.S.C. 101. Thus, the 35 U.S.C. 101 rejection to claim 1-20 is maintained for the reasons stated above. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more. Regarding claims 1, 8 and 15, the claims are directed to an abstract idea reciting the limitations “computing a hash [],” combining, via concatenation [] to create a unique SSH key fingerprint,” and “executing a verification operation [] comprising comparing stored SSH key fingerprint against a received SSH key [] determine whether the SSH key corresponds to a valid key.” The aforementioned steps are a mental process as broadly interpreted said steps could be performed in the human mind or by hand with a pen and paper. Accordingly, the claims recite an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize ”ingesting metadata [],” “concatenating identifiers [], and “indexing in a database.” It’s noted that the claims recite the limitation “ingesting meta data for a host machine …;” Said steps are not sufficient to consider that the abstract idea is being interpreted into a practical application as said steps are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity. It is also noted that the claims recite the step of “indexing, in a database, the unique SSH key fingerprint [].” As discussed in the specification in paragraphs [0025] & [0095] described as “computer implemented services may include database services and “a computer readable storage medium can include a centralized or distributed database,” which is insufficiently considered as “being interpreted the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. It’s also noted that the claims recited additional elements (i.e. host machine, database (claim 1), memory, processor and database, (claim 6), a non-transitory computer readable device and computing device (claim 15)). However, said additional elements are recited at a high level of generality (i.e. generic computing device/processor performing generic receiving, identifying, generating and storing functions), such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic functions (i.e. indexing, in a database the unique SSH key fingerprint []) routinely used in the information technology field. See Ylonen et al (“Ylonen,” US 20130117554, where Vlonen discloses [0200], [0125] indexing, in a database, the unique SSH key fingerprint [0174]-[0175], [0184] and information about the host machine [0189], the user [0188], 2403, FIG 24 and the SSH key [0016] from the metadata [0186], 2201, FIG 22, [0188]). As discussed above, the additional elements recited as a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application nor significantly more. Regarding claims 2-7, 9-14 and 16-20, claims 2-7, 9-14 and 16-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims are directed to an abstract idea without being integrated into a practical application nor being significantly more. It’s noted that claims 3, 10 and 16 recite the limitation “to record and report “ Similar to the analysis discussed above, the limitation “to record and report,” is recited at a high level of generality which is a form of insignificant extra-solution activity; and the limitation “to record and report,” is also a mental process which is an abstract idea. Merely adding another abstract idea to the claim does not make the claim less abstract. See RecogniCorp, LLC v. Nintendo Co., 855 F. 3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea…to another abstract idea…does not render the claim non-abstract”). It’s noted that claims 4, 11 and 17 recite the limitation “to determine “ Similar to the analysis discussed above, the limitation “to determine,” is recited at a high level of generality which is a form of insignificant extra-solution activity; and the limitation “to determine” is also a mental process which is an abstract idea. Merely adding another abstract idea to the claim does not make the claim less abstract. See RecogniCorp, LLC v. Nintendo Co., 855 F. 3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea…to another abstract idea…does not render the claim non-abstract”). It’s noted that claims 5, 12 and 18 recite the limitation “identifying [] and determining [] “ Similar to the analysis discussed above, the limitation “identifying [] and determining [] “ is recited at a high level of generality which is a form of insignificant extra-solution activity; and the limitation “identifying [] and determining [] “ is also a mental process which is an abstract idea. Merely adding another abstract idea to the claim does not make the claim less abstract. See RecogniCorp, LLC v. Nintendo Co., 855 F. 3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea…to another abstract idea…does not render the claim non-abstract”). It’s noted that claims 6, 13 and 19 recite the limitation “to identify [],” Similar to the analysis discussed above, the limitation “to identify [],” is recited at a high level of generality which is a form of insignificant extra-solution activity; and the limitation “to identify [],” is also a mental process which is an abstract idea. Merely adding another abstract idea to the claim does not make the claim less abstract. See RecogniCorp, LLC v. Nintendo Co., 855 F. 3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea…to another abstract idea…does not render the claim non-abstract”). It’s noted that claims 7, 14 and 20 recite the limitation “retrieving [] and generating [].” Similar to the analysis discussed above, the limitation “retrieving [] and generating [],” is recited at a high level of generality which is a form of insignificant extra-solution activity; and the limitation “retrieving [] and generating [].” is also a mental process which is an abstract idea. Merely adding another abstract idea to the claim does not make the claim less abstract. See RecogniCorp, LLC v. Nintendo Co., 855 F. 3d 1322, 1327 (Fed. Cir. 2017) (“Adding one abstract idea…to another abstract idea…does not render the claim non-abstract”). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 4, 6, 8, 11, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ylonen et al (“Ylonen,” US 20130117554) in view of Nordstrom et al (“Nordstrom,” US 20200304492) and further in view of Neel et al (“Neel,” “Oh SSH-it, What’s My Fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS, 2022, Pages 1-18). Regarding claim 1, Ylonen discloses a computer-implemented method, comprising: ingesting metadata for a host machine, the metadata comprising a machine ID for the host machine, account IDs associated with the host machine, and a plurality of secure shell (SSH) key objects, wherein each SSH key object represents one of a plurality of SSH keys for accessing an account on the host machine associated with one of a plurality of users; (Ylonen discloses [0053] ingesting metadata [0186], 2201, FIG 22, [0188] for a host machine [0060], the metadata comprising a machine ID for the host machine [0189], account IDs associated with the host machine [0060], and a plurality of secure shell (SSH) key objects [0119], [0123], [0185] wherein each SSH key object [0119], [0123], [0185] represents one of a plurality of SSH keys [0016], [0118] for accessing an account [0081] on the host machine [0082] associated with one of a plurality of users [0089]) computing a hash of at least one SSH key in the plurality of SSH key objects; (Vlonen discloses computing a hash [0115], [0120], [0125] of at least one SSH key [0081], [0016] in the plurality of SSH key objects [0119], [0123], [0185]) extracting at least one SSH key hash for an SSH key corresponding to the SSH key object and a user ID for a user associated with the SSH key; (Vlonen describes [0122] extracting at least one SSH key hash [0120] for an SSH key [0016] corresponding to the SSH key object [0119], [0123], [0185] and a user ID [0188], 2403, FIG 24, for a user associated with the SSH key [0016]) indexing, in a database, the unique SSH key fingerprint and information about the host machine, the user and the SSH key from the metadata; (Vlonen discloses [0200], [0125] indexing, in a database, the unique SSH key fingerprint [0174]-[0175], [0184] and information about the host machine [0189], the user [0188], 2403, FIG 24 and the SSH key [0016] from the metadata [0186], 2201, FIG 22, [0188]) and executing a verification operation on one or more of the unique SSH key fingerprints stored in the database, the verification operation comprising comparing the stored SSH key fingerprint against a received SSH key, to determine whether the SSH key corresponds to a valid key for accessing the host machine, (Vlonen discloses and executing a verification operation [0115]-[0116], on one or more of the unique SSH key fingerprints [0174]-[0175], [0184] stored in the database [0200], the verification operation [0115]-[0116], comprising comparing [0124]-[0125], [0184] the stored SSH key fingerprint [0174]-[0175], [0184] against a received SSH key [0016], to determine whether the SSH key [0016] corresponds to a valid key [0105] for accessing the host machine 704, 705, FIG 7) Ylonen fails to explicitly disclose combining, via concatenation, the machine ID, the user ID. However, in an analogous art, Nordstrom discloses combining, via concatenation, the machine ID, the user ID, (Nordstrom describes FIG 7D, [0166] describes combining, via concatenation, the machine ID, the user ID) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nordstrom with the method/system of Ylonen to include combining, via concatenation, the machine ID, the user ID, and the SSH key hash for the SSH key to create a unique SSH key fingerprint for the SSH key object of the plurality of SSH key objects. One would have been motivated to authenticate a client device based on entropy from a server and/or other device such as a device paired with the client device (Nordstrom, [0002]). However, in an analogous art, Neel discloses combining, via concatenation, and the SSH key hash for the SSH key to create a unique SSH key fingerprint for the SSH key object of the plurality of SSH key objects; (Neel discloses combining, via concatenation (Page 6, Under Section 2.2, Listing 1.3 shows a concatenated format), and the SSH key hash (Page 4, Under Section 2.1 Host Key Verification, Under Fingerprints Section) for the SSH key (Page 4, Section 2.1 First Paragraph) to create a unique SSH key fingerprint (Page 4, Under Section 2.1 Host Key Verification, Under Fingerprints Section) for the SSH key object (Page 4, Section 2.1 First Paragraph) of the plurality of SSH key objects (Page 4, Section 2.1 First Paragraph)) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Neel with the method/system of Ylonen and Nordstrom to include combining, via concatenation, the machine ID, the user ID, and the SSH key hash for the SSH key to create a unique SSH key fingerprint for the SSH key object of the plurality of SSH key objects. One would have been motivated to avoid manual verification of SSH server keys (Neel, Page 2, Third Paragraph). Regarding claim 4, Ylonen, Nordstrom and Neel disclose the method of claim 1. Ylonen further discloses wherein the SSH key management agent application is further configured to determine if an SSH key ion the host machine is valid for use and, based on the determination, allow or disallow use of the SSH key for authentication of a user on the host machine, (Ylonen discloses wherein the SSH key management agent application [0058] is further configured to determine if an SSH key [0016] on the host machine [0059] is valid for use [0105] and, based on the determination, allow [0105] or disallow use of the SSH key for authentication of a user on the host machine [0169]) Regarding claim 6, Ylonen, Nordstrom and Neel disclose the method of claim 1. Ylonen further discloses wherein the unique SSH key fingerprint for the SSH key object is used to identify all installations of every SSH key is valid for use, (Ylonen discloses wherein the unique SSH key fingerprint [0174]-[0175], [0184] for the SSH key object [0119], [0123], [0185] is used to identify all installations [0185] of every SSH key [0016] is valid for use [0105]) Regarding claim 8, claim 8 is directed to a system. Claim 8 is similar in scope to claim 1 and is therefore rejected under the same rationale. Regarding claim 11, claim 11 is directed to the system of claim 8. Claim 11 is similar in scope to claim 4 and is therefore rejected under the same rationale. Regarding claim 15, claim 15 is directed to a non-transitory computer-readable device. Claim 15 is similar in scope to claim 1 and is therefore rejected under the same rationale. Regarding claim 19, claim 19 is directed to the non-transitory computer-readable device of claim 15. Claim 19 is similar in scope to claim 6 and is therefore rejected under the same rationale. Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Ylonen et al (“Ylonen,” US 20130117554), Nordstrom et al (“Nordstrom,” US 20200304492) in view of Neel et al (“Neel,” “Oh SSH-it, What’s My Fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS, 2022, Pages 1-18) and further in view of Govardhan et al (“Govardhan,” US 20190163510). Regarding claim 2, Ylonen, Nordstrom and Neel disclose the method of claim 1. Ylonen, Nordstrom and Neel fail to explicitly disclose wherein the host machine is a cloud based virtual machine and the machine ID is an instance ID. However, in an analogous art, Govardhan discloses wherein the host machine is a cloud based virtual machine and the machine ID is an instance ID, (Govardhan, [0004], [0030], [0021], describes wherein the host device is a cloud based virtual machine with an instance identifier corresponding to the hosted virtual machine instance) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Govardhan with the method/system of Ylonen, Nordstrom and Neel to include wherein the host machine is a cloud based virtual machine and the machine ID is an instance ID. One would have been motivated to provide collaborative hosted virtual machines (Govardhan, [0001]). Regarding claim 9, claim 9 is directed to the system of claim 8. Claim 9 is similar in scope to claim 2 and is therefore rejected under the same rationale. Claims 3, 10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Ylonen et al (“Ylonen,” US 20130117554), Nordstrom et al (“Nordstrom,” US 20200304492), Neel et al (“Neel,” “Oh SSH-it, What’s My Fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS, 2022, Pages 1-18) and further in view of Ansari et al (“Ansari,” US 20080165789). Regarding claim 3, Ylonen, Nordstrom and Neel disclose the method of claim 1. Ylonen, Nordstrom and Neel fail to explicitly disclose wherein the metadata is sent from an SSH key management agent application executing on the host machine and wherein the SSH key management agent is configured to record and report operational metadata for the host machine. However, in an analogous art, Ansari discloses wherein the metadata is sent from an SSH key management agent application executing on the host machine and wherein the SSH key management agent is configured to record and report operational metadata for the host machine, (Ansari, [0092] describes wherein the metadata is sent from an SSH key management agent application [0091], [0006] executing on the host machine [0032] and wherein the SSH key management agent [0091], [0006] is configured to record and report [0041] operational metadata [0156] for the host machine [0032]) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ansari with the method/system of Ylonen and Nordstrom to include wherein the metadata is sent from an SSH key management agent application executing on the host machine and wherein the SSH key management agent is configured to record and report operational metadata for the host machine. One would have been motivated to provide management of operational information for gateway devices from a user premises and/or for associated endpoint devices, and to facilitate management of the application services, where a demarcation is defined between resources of the gateway accessible to and managed by a service provider and service access by a user via an endpoint device (Ansari, [0003]). Regarding claim 10, claim 10 is directed to the system of claim 8. Claim 10 is similar in scope to claim 3 and is therefore rejected under the same rationale. Regarding claim 16, claim 16 is directed to the non-transitory computer-readable device of claim 15. Claim 16 is similar in scope to claim 3 and is therefore rejected under the same rationale. Claims 5, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ylonen et al (“Ylonen,” US 20130117554), Nordstrom et al (“Nordstrom,” US 20200304492) in view of Neel et al (“Neel,” “Oh SSH-it, What’s My Fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS, 2022, Pages 1-18) and further in view of Harjula et al (“Harjula,” WO 2015042604). Regarding claim 5, Ylonen, Nordstrom and Neel disclose the method of claim 4. Ylonen, Nordstrom and Neel fail to explicitly disclose wherein the determination comprises: identifying a time period indicating an amount of time elapsed since the SSH key was created; and determining that the SSH key has not expired by comparing the identified time period for the SSH key with a predetermined expiration time, wherein the predetermined expiration time indicates a period of time for which an SSH key is valid for use. However, in an analogous art, Harjula discloses wherein the determination comprises: identifying a time period indicating an amount of time elapsed since the SSH key was created; and determining that the SSH key has not expired by comparing the identified time period for the SSH key with a predetermined expiration time, wherein the predetermined expiration time indicates a period of time for which an SSH key is valid for use (Harjula, discloses wherein the determination comprises: identifying a time period indicating an amount of time elapsed since the SSH key was created; (Harjula, [00225]-[00227] and determining that the SSH key has not expired by comparing the identified time period for the SSH key with a predetermined expiration time, wherein the predetermined expiration time indicates a period of time for which an SSH key is valid for use [0032], [0087], [00210]) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hajula with the method/system of Ylonen, Nordstrom and Neel to include wherein the determination comprises: identifying a time period indicating an amount of time elapsed since the SSH key was created; and determining that the SSH key has not expired by comparing the identified time period for the SSH key with a predetermined expiration time, wherein the predetermined expiration time indicates a period of time for which an SSH key is valid for use. One would have been motivated to provide discovery and management of keys and trust relationships in environments employing Secure Shell (SSH) protocols (Harjula, [0002]). Regarding claim 12, claim 12 is directed to the system of claim 11. Claim 12 is similar in scope to claim 5 and is therefore rejected under the same rationale. Regarding claim 18, claim 18 is directed to the non-transitory computer-readable device of claim 17. Claim 18 is similar in scope to claim 5 and is therefore rejected under the same rationale. Claims 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ylonen et al (“Ylonen,” US 20130117554), Nordstrom et al (“Nordstrom,” US 20200304492), Neel et al (“Neel,” “Oh SSH-it, What’s My Fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS, 2022, Pages 1-18) and further in view of Ylonen et al (“Ylonen ‘604,” US 20150222604). Regarding claim 7, Ylonen and Nordstrom disclose the method of claim 6. Ylonen further discloses further comprising: retrieving, from the database, data comprising a plurality of unique SSH key fingerprints and information about the host machine, the user, and the SSH key corresponding to each unique SSH key fingerprint of the plurality of unique SSH key fingerprints; (Ylonen discloses further comprising: retrieving, from the database [0120], data comprising a plurality of unique SSH key fingerprints [0119] and information about the host machine [0189], the user [0188], and the SSH key [0016] corresponding to each unique SSH key fingerprint [0119] of the plurality of unique SSH key fingerprints [0119]) However, in an analogous art, Ylonen ‘604 discloses and generating, based on the data, a security audit report for SSH keys in use within the computing network, (Ylonen, [0604], [0826], [0951] describes creating based on the data, an audit report for SSH keys in use within the computing network [0953]) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ylonen 604’ with the method/system of Ylonen, Nordstrom and Neel to include and generating, based on the data, a security audit report for SSH keys in use within the computing network. One would have been motivated to provide identity, access management and key management (Ylonen 604’, [0001]). Regarding claim 14, claim 14 is directed to the system of claim 13. Claim 14 is similar in scope to claim 7 and is therefore rejected under the same rationale. Regarding claim 20, claim 20 is directed to the non-transitory computer-readable device of claim 19. Claim 20 is similar in scope to claim 7 and is therefore rejected under the same rationale. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAMES J WILCOX/Examiner, Art Unit 2439 /LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439
Read full office action

Prosecution Timeline

May 25, 2023
Application Filed
Jun 27, 2025
Non-Final Rejection — §101, §103
Sep 23, 2025
Examiner Interview Summary
Sep 23, 2025
Applicant Interview (Telephonic)
Sep 30, 2025
Response Filed
Dec 30, 2025
Final Rejection — §101, §103
Mar 30, 2026
Request for Continued Examination
Apr 01, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology. Study what changed to get past this examiner.

Patent 12562884
OBFUSCATING DATA AT-TRANSIT
2y 5m to grant Granted Feb 24, 2026
Patent 12495042
SYSTEMS AND METHODS FOR RESETTING AN AUTHENTICATION COUNTER
2y 5m to grant Granted Dec 09, 2025
Patent 12450359
METHOD AND APPARATUS FOR SECURING EMBEDDED DEVICE FIRMWARE
2y 5m to grant Granted Oct 21, 2025
Patent 12432244
Home Gateway Monitoring for Vulnerable Home Internet of Things Devices
2y 5m to grant Granted Sep 30, 2025
Patent 12425371
SYSTEM AND METHOD FOR PROVIDING SCHC-BASED EDGE FIREWALLING
2y 5m to grant Granted Sep 23, 2025

AI Strategy Recommendation

Click below to generate an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
70%
Grant Probability
99%
With Interview (+58.8%)
3y 5m
Median Time to Grant
Moderate
PTA Risk
Based on 605 resolved cases by this examiner