PROVISIONING WITH SECURE SOFTWARE SUPPLY CHAIN DELIVERY

§102 §103

DETAILED ACTION Response to Amendment The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This is in reply to papers filed on 2025-12-23 and interview 2025-12-31. Claims 1-7, 9-16, 18-20 are pending, following Applicant's cancellation of claims 8, 17. Claims 1, 11, 19 is/are independent. The objections to informalities in the claims are withdrawn in view of Applicant’s amendments. The rejection(s) of claims under 35 U.S.C. § 112 are withdrawn in view of Applicant’s amendments. Applicant's arguments/amendments have been fully considered, but are not persuasive. Note that this action is made FINAL. See MPEP § 706.07(a). Response to Arguments Applicant's arguments have been fully considered but they are not persuasive. As discussed during the interview, Applicant's apprehension (see ¶ 0008 of Applicant’s Remarks) is incorrect that the rejections have mapped the claimed "vendor" to the "vendor" of U.S. Publication 20180034682 to Gulati (hereinafter "Gulati '682") [Gulati '682 ¶ 0188]. To the contrary, the "vendor" of Gulati '682 is an upstream entity that vends components (e.g., a TPM chip) to a manufacturer/assembler of devices. The rejections do not map the "vendor" of Gulati '682 to the claimed "vendor". Instead, the rejections map the "OEM" of Gulati '682 to the claimed "vendor". Gulati '682's "OEM" is an entity downstream of the manufacturer who, typically, sells the assembled device to the a customer / end user, who uses the device. This interpretation is in line with Applicant's amendments concerning "a vendor cloud provisioner of a vendor of the computing device in a manufactured state". Indeed, the "OEM" of Gulati '682 is a vendor of the computing device in a manufactured state, as the amended claim now requires. For all these reasons, Applicant's argument that Gulati '682 lacks the claimed "vendor" is unpersuasive Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above. Claim Interpretation Examiner notes that the instant specification uses the term "vendor" to mean an entity downstream of the manufacturer; typically, this "vendor" sells the assembled device to the "customer", who uses the device [Specification ¶ 0033, 0036, 0043-0044, 0063]. Consistent with the broadest reasonable interpretation, Examiner construes "vendor" in this light throughout the claims. By contrast, certain references in the art use the term "vendor" to refer to an upstream entity that vends components (e.g., a TPM chip) to a manufacturer/assembler of devices [see, e.g. . U.S. Publication 20180034682 to Gulati (hereinafter "Gulati '682") ¶ 0188]. Gulati '682 refers to the entity that sells an assembled device to the consumer as an "OEM". Thus, the rejections below map the claimed "vendor" to the OEM of Gulati '682. Summary of Claim Rejections under 35 U.S.C. § 103 The following table summarizes the rejections set forth in detail below of the claims over the prior art. Claim No. Gulati '682 in view of Kinsman '434 1 [Wingdings font/0xFC] 2 [Wingdings font/0xFC] 3 [Wingdings font/0xFC] 4 [Wingdings font/0xFC] 5 [Wingdings font/0xFC] 6 [Wingdings font/0xFC] 7 [Wingdings font/0xFC] 9 [Wingdings font/0xFC] 10 [Wingdings font/0xFC] 11 [Wingdings font/0xFC] 12 [Wingdings font/0xFC] 13 [Wingdings font/0xFC] 14 [Wingdings font/0xFC] 15 [Wingdings font/0xFC] 16 [Wingdings font/0xFC] 18 [Wingdings font/0xFC] 19 [Wingdings font/0xFC] 20 [Wingdings font/0xFC] Claim Rejections - 35 U.S.C. § 103 The following is a quotation of the appropriate paragraphs of AIA 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of AIA 35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claim(s) 1-7, 9-16, 18-20 is/are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Publication 20180034682 to Gulati (hereinafter "Gulati '682") in view of U.S. Publication 20220337434 to Kinsman et al. (hereinafter "Kinsman '434"). Gulati '682 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2). Kinsman '434 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2). Per claim 1 (independent): Gulati '682 discloses a method (method of securely programming and customizing a manufactured device [Gulati '682 ¶ 0030]) Gulati '682 discloses storing a vendor secret on a computing device while the computing device is located at a manufacturer of the computing device (factory [Gulati '682 ¶ 0217, 0245] stores OEM certificate [Gulati '682 ¶ 0247]) Gulati '682 does not explicitly disclose querying, by a vendor cloud provisioner of a vendor of the computing device in a manufactured state, the manufacturer for a serial number of the computing device and a computing device secret However, Gulati '682 discloses cloud provisioner/ manufacturer storing a serial number of the computing device and a computing device secret (serial number in security system 932 [Gulati '682 ¶ 0258-0261, 0273-0276, 0083, 0111-0113]; managed and security processing system (MSP 902) [Gulati '682 ¶ 0206-0209] stores silicon vendor device cert 926 in security system 932 [Gulati '682 ¶ 0258-0261, 0273-0276]) Gulati '682 discloses binding, in a provisioning data structure external to the computing device, the computing device secret and the serial number (managed and security processing system (MSP 902) [Gulati '682 ¶ 0206-0209] stores silicon vendor device cert 926 and OEM device cert 946 together with serial number in security system 932 [Gulati '682 ¶ 0258-0261, 0273-0276]) Gulati '682 does not disclose correlating, in the provisioning data structure, a customer and provisioning instructions of the customer with the serial number of the computing device However, Gulati '682 discloses correlating, in the provisioning data structure, a customer and provisioning instructions of the customer with the serial number of the computing device ("The job control package 1112 comprises instructions and parameters for provisioning the programmable devices 128 with the target payload 1114." [Gulati '682 ¶ 0266]; ". . . the job control package 1112 can contain instructions for provisioning a specific set of the programmable devices 128." [Gulati '682 ¶ 0269]) Gulati '682 does not disclose receiving, from the computing device located at a location where the computing device is to be provisioned, a request for the provisioning instructions Gulati '682 discloses exchanging credentials between the computing device and the vendor cloud provisioner using the computing device secret and the vendor secret (dev is authenticated via silicon vendor device cert and OEM cert [Gulati '682 ¶ 0258-0259, 0035]) Gulati '682 discloses in response to a successful exchange of credentials between the computing device and the vendor cloud provisioner, transmitting the provisioning instructions to the computing device and/or receiving the serial number from the computing device (responsive to authentication, delivers payload [Gulati '682 ¶ 0265, 0281-0283]; dev is authenticated via silicon vendor device cert and OEM cert [Gulati '682 ¶ 0258-0259, 0035]; payload includes software, firmware, OS, etc. [Gulati '682 ¶ 0122]) Further: Kinsman '434 discloses querying, by a vendor cloud provisioner of a vendor of the computing device in a manufactured state, the manufacturer for a serial number of the computing device and a computing device secret (endpoint manager (e.g., carrier) uses device identifiers to acquire device information from manufacturer for further provisioning of device [Kinsman '434 ¶ 0041-0045]; ". . . cryptographically attaching the device to credentials, a network, management system, a serial number, a location, a customer, a customer configuration, and associate other metadata . . ." [Kinsman '434 ¶ 0006]; stores device serial number [Kinsman '434 ¶ 0061]) Kinsman '434 discloses correlating, in the provisioning data structure, a customer and provisioning instructions of the customer with the serial number of the computing device (binds device "to credentials, a network, management system, a serial number, a location, a customer, a customer configuration" [Kinsman '434 ¶ 0006, 0054]; devices are provisioned according to customer requirements [Kinsman '434 ¶ 0070-0072]; provisioning at customer site [Kinsman '434 ¶ 0062, 0070]; correlates and binds customer data [Kinsman '434 ¶ 0056-0058]) Kinsman '434 discloses receiving, from the computing device located at a location where the computing device is to be provisioned, a request for the provisioning instructions (device requests its configuration upon power up [Kinsman '434 ¶ 0064, 0066, 0062]) Kinsman '434 discloses exchanging credentials between the computing device and the vendor cloud provisioner using the computing device secret and the vendor secret (provisioner authenticates with multiple certificates, e.g., any cert or chain of certs known to device [Kinsman '434 ¶ 0062-0064, 0007]) It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gulati '682 with the multiple levels and locations of authenticated provisioning of Kinsman '434 to arrive at an apparatus, method, and product including: querying, by a vendor cloud provisioner of a vendor of the computing device in a manufactured state, the manufacturer for a serial number of the computing device and a computing device secret correlating, in the provisioning data structure, a customer and provisioning instructions of the customer with the serial number of the computing device receiving, from the computing device located at a location where the computing device is to be provisioned, a request for the provisioning instructions exchanging credentials between the computing device and the vendor cloud provisioner using the computing device secret and the vendor secret A person having ordinary skill in the art would have been motivated to combine them at least because having an authentication system that permits multiple levels and locations of provisioning with cryptographic guarantees would increase the flexibility of customizing manufactured devices and reduce the burden on any one stage in the chain to know about and accommodate all the others. A person having ordinary skill in the art would have been further motivated to combine them at least because Kinsman '434 teaches [Kinsman '434 ¶ 0006, 0054, 0062-0064, 0007, 0070-0074] modifying a device provisioning schema [Gulati '682 ¶ 0030] such as that of Gulati '682 to arrive at the claimed invention; because Gulati '682 and Kinsman '434 are in the same field of endeavor; because doing so constitutes use of a known technique (multiple levels and locations of authenticated provisioning [Kinsman '434 ¶ 0006, 0054, 0062-0064, 0007, 0070-0074]) to improve similar devices and/or methods (device provisioning schema [Gulati '682 ¶ 0030]) in the same way; because doing so constitutes applying a known technique (multiple levels and locations of authenticated provisioning [Kinsman '434 ¶ 0006, 0054, 0062-0064, 0007, 0070-0074]) to known devices and/or methods (device provisioning schema [Gulati '682 ¶ 0030])ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (device provisioning schema [Gulati '682 ¶ 0030] cryptographically authenticates multiple levels and locations of provisioning [Kinsman '434 ¶ 0006, 0054, 0062-0064, 0007, 0070-0074]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion. Per claim 2 (dependent on claim 1): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gulati '682 does not disclose receiving from the customer, at the vendor cloud provisioner, the provisioning instructions for the computing device in response to verifying credentials of the customer Further: Kinsman '434 discloses receiving from the customer, at the vendor cloud provisioner, the provisioning instructions for the computing device in response to verifying credentials of the customer (authenticates customer [Kinsman '434 ¶ 0054-0062]; binds device "to credentials, a network, management system, a serial number, a location, a customer, a customer configuration" [Kinsman '434 ¶ 0006, 0054]; devices are provisioned according to customer requirements [Kinsman '434 ¶ 0070-0072]; provisioning at customer site [Kinsman '434 ¶ 0062, 0070]; correlates and binds customer data [Kinsman '434 ¶ 0056-0058]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gulati '682 with the multiple levels and locations of authenticated provisioning of Kinsman '434 to arrive at an apparatus, method, and product including: receiving from the customer, at the vendor cloud provisioner, the provisioning instructions for the computing device in response to verifying credentials of the customer Per claim 3 (dependent on claim 1): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gulati '682 discloses the computing device comprises a secure processor, separate from a central processing unit of the computing device, the secure processor configured to secure hardware of the computing device through integrated cryptographic keys, wherein querying the computing device for the computing device secret and exchanging credentials between the vendor cloud provisioner and the computing device comprise querying the secure processor (secure memory 326 of security controller 114 stores silicon vendor device cert and OEM cert and cryptographic keys for authentication protocols [Gulati '682 ¶ 0292-0296]) Per claim 4 (dependent on claim 3): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 3 above, incorporated herein by reference Gulati '682 discloses the secure processor comprises a trusted platform module (“TPM”) (". . . security controller 114 can be a hardware security module (HSM), a microprocessor, a trusted security module (TPM) . . ." [Gulati '682 ¶ 0053]) Per claim 5 (dependent on claim 1): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gulati '682 does not disclose receiving the request for the provisioning instructions from the computing device is in response to the computing device being powered on at the location where the computing device is to be provisioned However, Gulati '682 discloses receiving the request for the provisioning instructions from the computing device is from the security bootloader on at the location where the computing device is to be provisioned (security boot loader creates device identity, creates the ability to accept an encrypted data stream and de-crypt on device [Gulati '682 ¶ ]) Further: Kinsman '434 discloses receiving the request for the provisioning instructions from the computing device is in response to the computing device being powered on at the location where the computing device is to be provisioned (device requests its configuration upon power up [Kinsman '434 ¶ 0064]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gulati '682 with the multiple levels and locations of authenticated provisioning of Kinsman '434 to arrive at an apparatus, method, and product including: receiving the request for the provisioning instructions from the computing device is in response to the computing device being powered on at the location where the computing device is to be provisioned Per claim 6 (dependent on claim 1): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gulati '682 discloses the provisioning instructions comprise instructions to download and/or install firmware, an operating system, a software registration certificate, and/or an application (payload includes software, firmware, OS, etc. [Gulati '682 ¶ 0122]) Per claim 7 (dependent on claim 1): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gulati '682 discloses correlating the provisioning instructions with the serial number of the computing device occurs when the computing device is located at a location different than where the computing device was manufactured and different from the location where the computing device is to be installed (". . . the secure elements can be instantiated, transferred, and managed at different premises. The premises can include different types of locations such as a silicon manufacturer 1004, an OEM location 1006, a programming center 1008, a programmer location 1010, and a device location 1012. Each of the premises represents a location where some type of secure programming related actions can occur." [Gulati '682 ¶ 0232]) Per claim 9 (dependent on claim 1): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference Gulati '682 discloses the location where the computing device is to be provisioned is at one of a location where the customer is installing the computing device and a location of a trusted vendor that is provisioning the computing device for the customer (". . . the secure elements can be instantiated, transferred, and managed at different premises. The premises can include different types of locations such as a silicon manufacturer 1004, an OEM location 1006, a programming center 1008, a programmer location 1010, and a device location 1012. Each of the premises represents a location where some type of secure programming related actions can occur." [Gulati '682 ¶ 0232]) Per claim 10 (dependent on claim 9): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference Gulati '682 does not disclose the trusted vendor is correlated with the computing device at the vendor cloud provisioner and wherein exchanging credentials between the computing device and the vendor cloud provisioner comprises the trusted vendor providing credentials Further: Kinsman '434 discloses the trusted vendor is correlated with the computing device at the vendor cloud provisioner and wherein exchanging credentials between the computing device and the vendor cloud provisioner comprises the trusted vendor providing credentials ("The provisioner can be authenticated with their own cloud, the manufacturer cloud, service provider cloud, or a decentralized system." [Kinsman '434 ¶ 0062]) For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Gulati '682 with the multiple levels and locations of authenticated provisioning of Kinsman '434 to arrive at an apparatus, method, and product including: the trusted vendor is correlated with the computing device at the vendor cloud provisioner and wherein exchanging credentials between the computing device and the vendor cloud provisioner comprises the trusted vendor providing credentials Per claim 11 (independent): Gulati '682 discloses an apparatus comprising a processor; and non-transitory computer readable storage media storing code, the code being executable by the processor to perform operations (processor(s), memory, computer readable media, storage, executable instructions [Gulati '682 ¶ 0324-0335]) The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 12 (dependent on claim 11): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 13 (dependent on claim 11): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 14 (dependent on claim 11): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 5 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 15 (dependent on claim 11): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 6 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 16 (dependent on claim 11): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 18 (dependent on claim 11): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 9 and 10 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 19 (independent): Gulati '682 discloses a program product comprising: a non-transitory computer readable storage medium storing code, the code being configured to be executable by a processor to perform operations (processor(s), memory, computer readable media, storage, executable instructions [Gulati '682 ¶ 0324-0335]) The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Per claim 20 (dependent on claim 19): Gulati '682 in view of Kinsman '434 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475. The examiner can normally be reached on MTWRF 7:30-4:30. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form. /THEODORE C PARSONS/Primary Examiner, Art Unit 2494