DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending for examination.
Claim Objections
Claims 1, 11 and 16 are objected to because of the following informalities: line 7, “add adding” should be changed to “adding”. Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 6-11, 16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more.
Step 2A Prong 1:
Claims 1, 11 and 16, the claim(s) recite(s) “making a first determination regarding whether the orchestrator is authorized to replace pre-onboarding ownership chain data with the replacement data: in a first instance of the first determination where the orchestrator is authorized” and “and in a second instance of the first determination where the orchestrator is not authorized” as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “making a first determination” in the context of this claim encompasses simple determinations that may be performed within the mind such as making observations, evaluations, judgements and opinion regarding criteria corresponding to orchestrator to be authorized, and the orchestrator is evaluated to make judgements whether the orchestrator is authorized to replace data, as thought of mentally above.
Similarly, the limitation of “discarding the pre-onboarding ownership chain data in authority resolution data and add adding the replacement data to the authority resolution data to obtain first updated authority resolution data” and “adding the replacement data to the authority resolution data to obtain second updated authority resolution data”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind and/or with the aid of pen and paper. For example, “discarding” and “adding” different types of data in the context of this claim encompasses the user manually adding the received data to another data using pen and paper to generate an updated data.
Similarly, the limitation of “processing the second signed workorder using the second updated authority resolution data” as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind and/or with the aid of pen and paper. For example, “processing the second signed workorder” encompasses the user manually handle/evaluate the signed workorder with pen and paper, using the updated authority resolution data, and generate judgements/opinion regarding the workorder.
Additional elements are evaluated below.
Claim 6, similarly, the limitation of “the first determination is made using an onboarding management certificate, the onboarding management certificate being verifiable using the pre-onboarding ownership chain data, and the onboarding management certificating indicate whether the orchestrator is authorized to replace pre-onboarding ownership chain data with the replacement data”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “the first determination is made using an onboarding management certificate” in the context of this claim encompasses simple determinations that may be performed within the mind such as making observations, evaluations, judgements and opinion regarding “an onboarding management certificate” where the data of the certificate is evaluated to make judgements whether the orchestrator is authorized to replace data, as thought of mentally above.
Claim 7: the additional elements of this claim are evaluated below.
Claim 8: the additional elements of this claim are evaluated below.
Claim 9: similarly, the limitation of “a certificate chain usable to verify that authority over the data processing system has been delegated from the root of trust to an owner of the orchestrator”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “a certificate chain usable to verify” in the context of this claim encompasses simple determinations that may be performed within the mind such as making observations, evaluations, judgements and opinion regarding “a certificate chain” where the data of the certificate is evaluated to make judgements whether the orchestrator is authorized to replace data, as thought of mentally above. the additional elements of this claim are evaluated below.
Claim 10: similarly, the limitation of “the replacement data is signed with a key of the owner of the orchestrator”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind and/or with the aid of pen and paper. For example, “signed with a key” in the context of this claim encompasses the user manually adding a key (data) of the owner of the orchestrator to the replacement data using pen and paper to generate a signed replacement data.
Step 2A Prong 2:
Claims 1, 11 and 16: This judicial exception is not integrated into a practical application. In particular, the claim recites additional elements -“obtaining replacement data for the data processing system from an orchestrator”, “obtaining a first signed workorder”, “obtaining a second signed workorder” which are merely insignificant pre and post solution data gathering activity which does not meaningfully limit the judicial exception, see MPEP § 2106.05(g). Further, “to complete onboarding of the data processing system; to complete the onboarding of the data processing system” is merely the field of use/technological environment in which the judicial except is being applied and does not meaningfully limit the judicial exception, see MPEP § 2106.05(h).
Claim 11 further recites additional elements – “a non-transitory machine readable medium having instructions stored therein, which when executed by a processor, cause operations for managing onboarding of managing onboarding of a data processing system” and claim 16 further recites additional elements – “A management system, comprising: a processor; and a memory coupled to the processor to store instructions which when executed by the processor cause operations for managing onboarding of data processing systems to be performed” which are merely recitations of generic computing components and functions (see MPEP § 2106.05(b)) which does not integrate a judicial exception into practical application.
Claim 7: The judicial exception is not integrated into a practical application. In particular, the claim recites additional elements -“ the orchestrator is adapted to provide the replacement data or supplemental data to data processing systems, the replacement data comprising first instructions to replace any pre-onboarding ownership chain data trusted by the data processing systems with the replacement data, and the supplemental data comprising second instructions to add the supplemental data to any pre-onboarding ownership chain data trusted by the data processing systems” which are merely insignificant pre-solution data gathering activity which does not meaningfully limit the judicial exception, see MPEP § 2106.05(g). Further, “during onboardings”, is merely the field of use/technological environment in which the judicial except is being applied and does not meaningfully limit the judicial exception, see MPEP § 2106.05(h).
Claim 8, The judicial exception is not integrated into a practical application. In particular, the claim recites additional element – “the replacement data comprises a new root of trusted and a new globally unique identifier for the data processing system”, which are merely insignificant pre-solution data gathering activity which does not meaningfully limit the judicial exception, see MPEP § 2106.05(g).
Claim 9, The judicial exception is not integrated into a practical application. In particular, the claim recites additional elements – “the pre-onboarding ownership chain data comprises an original root of trust and an original globally unique identifier for the data processing system” which are merely insignificant pre-solution data gathering activity which does not meaningfully limit the judicial exception, see MPEP § 2106.05(g).
Claims 6 and 10: they do not recite any additional elements.
Therefore, , “Do the claims recite additional elements that integrate the judicial exception into a practical application? No, these additional elements do not integrate the abstract idea into a practical application and they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
After having evaluating the inquires set forth in Steps 2A Prong 1 and 2, it has been concluded that the claims 1, 8 and 15 not only recite a judicial exception but that the claims are directed to the judicial exception as the judicial exception has not been integrated into practical application.
Step 2B:
Claims 1, 11 and 16, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, additional elements -“obtaining replacement data for the data processing system from an orchestrator”, “obtaining a first signed workorder”, “obtaining a second signed workorder” which are merely insignificant pre and post solution data gathering activity which does not meaningfully limit the judicial exception, see MPEP § 2106.05(g). Further, “to complete onboarding of the data processing system; to complete the onboarding of the data processing system” is merely the field of use/technological environment in which the judicial except is being applied and does not meaningfully limit the judicial exception, see MPEP § 2106.05(h). This pre-solution data gathering and field of use/technological environment do not impose meaning limits on practicing the abstract idea and thus cannot provide an inventive concept. Also the additional elements of “a non-transitory machine readable medium having instructions stored therein, which when executed by a processor, cause operations for managing onboarding of managing onboarding of a data processing system” and “a management system, comprising: a processor; and a memory coupled to the processor to store instructions which when executed by the processor cause operations for managing onboarding of data processing systems” amount to no more than generic computing components which do not amount to significantly more than the abstract idea.
Therefore, “Do the claims recite additional elements that amount to significantly more than the judicial exception? No, these additional elements, alone or in combination, do not amount to significantly more than the judicial exception. Having concluded analysis within the provided framework, Claims 1, 11 and 16 do not recite patent eligible subject matter under 35 U.S.C. § 101.
Claim 7: the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, additional elements -“ the orchestrator is adapted to provide the replacement data or supplemental data to data processing systems, the replacement data comprising first instructions to replace any pre-onboarding ownership chain data trusted by the data processing systems with the replacement data, and the supplemental data comprising second instructions to add the supplemental data to any pre-onboarding ownership chain data trusted by the data processing systems” which are merely insignificant pre-solution data gathering activity, see MPEP § 2106.05(g). Further, “during onboardings”, is merely the field of use/technological environment in which the judicial except is being applied, see MPEP § 2106.05(h). This pre-solution data gathering and field of use/technological environment do not impose meaning limits on practicing the abstract idea and thus cannot provide an inventive concept.
Claim 8, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, additional elements – “the replacement data comprises a new root of trusted and a new globally unique identifier for the data processing system”, which are merely insignificant pre-solution data gathering activity, see MPEP § 2106.05(g). This pre-solution data gathering does not impose meaning limits on practicing the abstract idea and thus cannot provide an inventive concept.
Claim 9, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, additional elements – “the pre-onboarding ownership chain data comprises an original root of trust and an original globally unique identifier for the data processing system” which are merely insignificant pre-solution data gathering activity, see MPEP § 2106.05(g). This pre-solution data gathering does not impose meaning limits on practicing the abstract idea and thus cannot provide an inventive concept.
Claims 6 and 10: they do not recite any additional elements.
Therefore, “Do the claims recite additional elements that amount to significantly more than the judicial exception? No, these additional elements do not amount to significantly more than the judicial exception.
Having concluded analysis within the provided framework, Claims 1, 6-11, 16 are not eligible subject matter under 35 U.S.C. § 101.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-3, 6-13, 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith US Pub 2020/0327231 (hereafter Smith) in view of Eilam et al. US Pub 2024/0205021 (hereafter Eilam) and further in view of Haddad et al. US Pub 2024/0086205 (hereafter Haddad).
As per claim 1, Smith teaches the invention as claimed including a method of managing onboarding of a data processing system, the method comprising: obtaining replacement data for the data processing system from an orchestrator (para[0020, 0075, 0104-0106], original and subsequent entities are enabled actions such as onboarding devices, and generate voucher for the hardware component (replacement data), establishing partial ownership for supply chain entity);
making a first determination regarding whether the orchestrator is authorized to replace pre-onboarding ownership chain data with the replacement data; in a first instance of the first determination where the orchestrator is authorized (para[0081-0082, 0085-0087, 0102-0106], determine that an entity is identified as a certificate authority for OCM in the OCM embedded voucher, indicating whether an entity is authorized to modify embedded voucher (pre-onboarding ownership chain data));
and in a second instance of the first determination where the orchestrator is not authorized: adding the replacement data to the authority resolution data to obtain second updated authority resolution data to complete the onboarding of the data processing system (para[0079-0087, 0090-0092, 0102-0106], FIG. 6, the entity is identified as a partial owner, a digital voucher is generated for the hardware component, store (add) the voucher in storage memory (without discarding the embedded voucher) and the voucher is used to validate ownership for action by entity to perform onboarding of the hardware component).
Smith does not explicitly teach discarding the pre-onboarding ownership chain data in authority resolution data and add adding the replacement data to the authority resolution data to obtain first updated authority resolution data to complete onboarding of the data processing system; obtaining a first signed workorder; and processing the first signed workorder using the first updated authority resolution data; obtaining a second signed workorder; and processing the second signed workorder using the second updated authority resolution data.
However, Eilam teaches discarding the pre-onboarding ownership chain data in authority resolution data and add adding the replacement data to the authority resolution data to obtain first updated authority resolution data to complete onboarding of the data processing system (para[0039, 0047-0050], FIG. 4, remove first owner certificates and private data of the previous owner and load (add) authenticated the intermediate ROT, public key and signature (replacement data)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Eilam’s teaching to Smith’s invention in order to provide a method of secure ownership transfer of a device which limits direct interaction between the second owner and the first owner using an intermediate root of trust credentials, which minimize potential security threats both for the original owner and the new owner (para[0035-0039]).
Smith and Eilam do not explicitly teach obtaining a first signed workorder; and processing the first signed workorder using the first updated authority resolution data; obtaining a second signed workorder; and processing the second signed workorder using the second updated authority resolution data.
However, Haddad teaches obtaining a first signed workorder; and processing the first signed workorder using the first updated authority resolution data; obtaining a second signed workorder; and processing the second signed workorder using the second updated authority resolution data (para[0049, 0055, 0059-0062], the iPXE script is signed (signed workorder) based on the owner certificate, and the script is validated and verified using the voucher and certificate to be executed).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Haddad’s teaching to Smith and Eilam’s invention in order to provide a techniques and architecture for validating and verifying scripts prior to execution which utilizes ownership vouchers and owner certificates to validate and verify signed scripts, which enables the signature validation for customer written scripts that improves the security posture for network devices and avoid a threat vector and vulnerability created by unsigned scripts interfaces (para[0029]).
As per claim 2, Smith, Eilam and Haddad teach the method of claim 1, and Eilam teaches further comprising: in the first instance of the first determination where the orchestrator is authorized: obtaining a request to onboard to a new orchestrator (para[0005-0006], owner of the device is requesting to transfer ownership of a device to another entity);
making a second determination that the first updated authority resolution data does not comprise the pre-onboarding ownership chain data; based on the second determination: obtaining a new certificate chain that establishes delegation of authority between an existing owner as specified by the replacement data and a new owner that owns the new orchestrator (para[0047-0051], the intermediate public key is received and the certificates of the first owner is removed from the device (pre-onboarding ownership chain data is removed), then the new certificates of the second owner is obtained to transfer the ownership from the first to second owner);
and using the new certificate chain to onboard to the new orchestrator (para[0057], the second owner provides certificates of the second owner to onboard the device to the second owner).
As per claim 3, Smith teaches further comprising: in the second instance of the first determination where the orchestrator not authorized (para[0081-0082, 0085-0087, 0102-0106], determine that an entity is identified as a certificate authority for OCM in the OCM embedded voucher, indicating whether an entity is authorized to modify embedded voucher (pre-onboarding ownership chain data));
obtaining a request to onboard to a new orchestrator: making a second determination that the first updated authority resolution data comprises the pre-onboarding ownership chain data; based on the second determination: using the pre-onboarding ownership chain data to perform a second onboard of the data processing system to the new orchestrator (para[0079-0087, 0090-0092, 0102-0106], FIG. 6, the entity is identified as a partial owner, a digital voucher is generated for the hardware component based on the embedded voucher, store (add) the voucher in storage memory (without discarding the embedded voucher) and the voucher is used to validate ownership for action by entity to perform onboarding of the hardware component).
As per claim 6, Smith teaches wherein the first determination is made using an onboarding management certificate, the onboarding management certificate being verifiable using the pre-onboarding ownership chain data, and the onboarding management certificating indicate whether the orchestrator is authorized to replace pre-onboarding ownership chain data with the replacement data (para[0081-0082, 0085-0087, 0102-0106], determine that an entity is identified as a certificate authority for OCM in the OCM embedded voucher, indicating whether an entity is authorized to modify embedded voucher (pre-onboarding ownership chain data)).
As per claim 7, Eilam teaches wherein the orchestrator is adapted to provide the replacement data or supplemental data to data processing systems during onboardings, the replacement data comprising first instructions to replace any pre-onboarding ownership chain data trusted by the data processing systems with the replacement data, and the supplemental data comprising second instructions to add the supplemental data to any pre-onboarding ownership chain data trusted by the data processing systems (para[0039, 0047-0050, 0061], FIG. 4, the replacement data comprises intermediate ROT credentials which is loaded onto the device, and the sensitive data of the first owner are removed from the device leaving the intermediate ROT credentials).
As per claim 8, Smith teaches wherein the replacement data comprises a new globally unique identifier for the data processing system (para[0080], owner voucher (replacement data) includes new local device identifier (LDevID)).
In addition, Eilam teaches the replacement data comprises a new root of trusted (para[0036], loading of the new Root of Trust credentials of the new owner).
As per claim 9, Smith teaches the pre-onboarding ownership chain data comprises an original globally unique identifier for the data processing system (para[0080-0081], OCM embedded voucher includes a globally unique initial device identifier (IDevID)).
Eilam teaches wherein the pre-onboarding ownership chain data comprises an original root of trust for the data processing system, and a certificate chain usable to verify that authority over the data processing system has been delegated from the root of trust to an owner of the orchestrator (para[0036, 0043, 0051-0053], the first owner certificates, first public key, first owner firmware (original root of trust) is used to prepare for ownership transfers of the device to a new owner)
As per claim 10, Eilam teaches wherein the replacement data is signed with a key of the owner of the orchestrator (para[0057-0059], the replacement data including second certificate and second key, where the certificate data is signed with second private key of the second owner).
As per claim 11, it is a non-transitory machine-readable medium claim of claim 1 above, thus it is rejected for the same rationale.
As per claim 12, it is a non-transitory machine-readable medium claim of claim 2 above, thus it is rejected for the same rationale.
As per claim 13, it is a non-transitory machine-readable medium claim of claim 3 above, thus it is rejected for the same rationale.
As per claim 16, it is a management system claim of claim 1 above, thus it is rejected for the same rationale.
As per claim 17, it is a management system claim of claim 2 above, thus it is rejected for the same rationale.
As per claim 18, it is a management system claim of claim 3 above, thus it is rejected for the same rationale.
Claim(s) 4-5, 14-15, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith in view of Eilam and Haddad as applied to claim 3 above, and further in view of Smith et al. US Pub 2020/0275273 (hereafter Smith2).
As per claim 4, Smith, Eilam and Haddad teach the method of claim 3, but they do not explicitly teach wherein using the pre-onboarding ownership chain data to onboard to the new orchestrator comprises: contacting a rendezvous system to obtain a redirection to the new orchestrator; and verifying that the new orchestrator has authority over the data processing system using, at least in part, the pre-onboarding ownership chain data.
However, Smith2 teaches using the pre-onboarding ownership chain data to onboard to the new orchestrator comprises: contacting a rendezvous system to obtain a redirection to the new orchestrator (para[0030, 0055-0058, 0066-0070], device registers an intent to onboard at the rendezvous service and receives information for an onboarding server);
and verifying that the new orchestrator has authority over the data processing system using, at least in part, the pre-onboarding ownership chain data (para[0030, 0055-0056, 0066], verifies using UUID that the onboarding service is expecting the device, provides the devices with network credentials sufficient to contact the onboarding service).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Smith2’s teaching to Smith, Eilam and Haddad’s invention in order to provide a method for zero-touch device onboarding using an authenticator obtained using a rendezvous service and secure device onboarding using a privacy protected self-sovereign identity (para[0002]).
As per claim 5, Smith, Eilam, Haddad and Smith2 teach the method of claim 4, Smith teaches verifying, by the data processing system, that the orchestrator has authority over the data processing system using, at least in part, the pre-onboarding ownership chain data (para[0081-0082, 0085-0087, 0102-0106], determine that an entity is identified as a certificate authority for OCM in the OCM embedded voucher, indicating whether an entity is authorized to modify embedded voucher (pre-onboarding ownership chain data)).
In addition, Smith2 teaches further comprising: prior to obtaining the replacement data and during the onboarding: establishing, by the orchestrator and to the rendezvous system, authority over the data processing system using the pre-onboarding ownership chain data (para[0030, 0055-0056, 0066-0070], rendezvous service alerts the onboarding service of the device’s intent to onboard, and receives information for an onboarding server, by establishing connections between them);
redirecting, by the rendezvous system, the data processing system to the orchestrator (para[0055-0056], the onboarding server makes its availability known to the rendezvous service, and the rendezvous service supply an IP address of the intended onboarding server).
As per claim 14, it is a non-transitory machine-readable medium claim of claim 4 above, thus it is rejected for the same rationale.
As per claim 15, it is a non-transitory machine-readable medium claim of claim 5 above, thus it is rejected for the same rationale.
As per claim 19, it is a management system claim of claim 4 above, thus it is rejected for the same rationale.
As per claim 20, it is a management system claim of claim 5 above, thus it is rejected for the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAMMY EUNHYE LEE whose telephone number is (571)270-7773. The examiner can normally be reached Mon, Tues, Thur 9PM-4PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached at (571)272-3756. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TAMMY E LEE/Primary Examiner, Art Unit 2195
Prosecution Insights