DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 01/29/2025. Claims 1-20 are pending in this examination.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This examination is in response to US Patent Application No. 18/425,297.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-4, 10-12, and 14-20 are rejected under 35 U.S.C. 102(a) (1) as being anticipated by Zhou( US2018/0248849),
Regarding claim 1, Zhou discloses A non-transitory machine-readable storage medium comprising instructions that upon execution cause an intermediary device to[ see FIG.1, Abstract, The application relates to a method for secure connection from a client computer device to a target computer resource comprising a server, comprising the following steps: the emission of a session-opening request by an application installed on the client station, leading to the creation of a primary session between the client station and the proxy gateway, the request containing either the identifier of the target server or the identifier of the target application; and the opening of a session between the proxy gateway and the server. The request-emission step is implemented by the prior opening of a primary session [RDP] between the client station and the proxy gateway by the transmission of a message containing the identifier of the target server or the identifier of the target application]; and
receive, at the intermediary device from a client device, a command associated with a secure protocol that secures a connection between the client device and a server system, wherein the intermediary device comprises an inline authentication and authorization service between the client device and the server system [0036-0044] The user is a network or system administrator having limited administration rights for a set of resources for which the network/system administrator is responsible. The network/system administrator has a terminal (100) communicating with the proxy gateway (300) (or “administration gateway”) by means of a connection (200) according to a protocol, for example, SSH (“secure shell”) or RDP (“remote desktop protocol”). ] The connection gives rise to the creation of a primary session (301) on the gateway (300). The user is identified by numerical identifiers that are specific to the user, and defining the user's rights, as well as the charging of the actions that the user performs. The gateway (300) comprises a database (302) in which the identifiers of the authorized users are recorded, as well as the associated rights, defining the targets (accounts and equipment) on which the user is entitled to act. At the time of connection, two methods for selecting the resource are possible: according to the first method, the user, at the time of the connection, specifies the target that the user wishes to access. In this case, the gateway checks whether the user identified by the user's identifier has necessary authorizations for accessing this target, according to the information recorded in the database (302). According to the second method, the gateway transmits to the user the list of targets corresponding to the data recorded in the database (302) in relation to the transmitted identifier, to enable the user to select one of the targets proposed. The following step consists of opening a connection, generally with the same SSH or RDP protocol or with a second protocol, with the account associated with the selected target. This step comprises successively: [0045] the step of opening a secondary session between the proxy gateway and the server], and [0064-0071] FIG. 3 is a schematic view of the data exchanged between the various computer resources. At the time of connection by a user, the terminal (100) transmits the primary numerical identifiers to the proxy gateway (300). These authentication data are checked by the gateway (300) according to the information recorded in its database (302). In the case of validation, the gateway (302) transmits the list of authorized targets (C1 to C3). Each target corresponds to a pair: [0069] application; and [0070] account associated with the application. The account comprises: identification information; and authentication information, such as a password]; and
and determine, by the inline authentication and authorization service at the intermediary device based on command enforcement policy information, whether to authorize the command received from the client device.[0040-0043] The gateway (300) comprises a database (302) in which the identifiers of the authorized users are recorded, as well as the associated rights, defining the targets (accounts and equipment) on which the user is entitled to act. At the time of connection, two methods for selecting the resource are possible: according to the first method, the user, at the time of the connection, specifies the target that the user wishes to access. In this case, the gateway checks whether the user identified by the user's identifier has necessary authorizations for accessing this target, according to the information recorded in the database (302). according to the second method, the gateway transmits to the user the list of targets corresponding to the data recorded in the database (302) in relation to the transmitted identifier, to enable the user to select one of the targets proposed], and [0064-0074] FIG. 3 is a schematic view of the data exchanged between the various computer resources. At the time of connection by a user, the terminal (100) transmits the primary numerical identifiers to the proxy gateway (300). These authentication data are checked by the gateway (300) according to the information recorded in its database (302). In the case of validation, the gateway (302) transmits the list of authorized targets (C1 to C3). Each target corresponds to a pair: application; and [0070] account associated with the application. The account comprises: identification information; and authentication information, such as a password. The gateway transmits to the user (100), for each of the authorized targets, only the designation of the application and the designation of the identifier of the account, but not the authentication information, in the form of character strings designating the application/account pairs].
Regarding claim 2, Zhou discloses wherein the server system comprises a network access device that provides access to a network by the client device [0002] This application relates to the field of application servers and, in particular, to methods and systems for access to application resources hosted on one or more servers by a user.], and [0041] At the time of connection, two methods for selecting the resource are possible: [0042] according to the first method, the user, at the time of the connection, specifies the target that the user wishes to access. In this case, the gateway checks whether the user identified by the user's identifier has necessary authorizations for accessing this target, according to the information recorded in the database (302). [0043] according to the second method, the gateway transmits to the user the list of targets corresponding to the data recorded in the database (302) in relation to the transmitted identifier, to enable the user to select one of the targets proposed], and [ see Figs 2-3 and corresponding text for more details].
Regarding claim 3, Zhou discloses wherein the secure protocol comprises a Secure Shell (SSH) protocol, and the command is associated with the SSH protocol.
[0037] The network/system administrator has a terminal (100) communicating with the proxy gateway (300) (or “administration gateway”) by means of a connection (200) according to a protocol, for example, SSH (“secure shell”) or RDP (“remote desktop protocol”).[ ¶¶770064-0078].
Regarding claim 4, Zhou discloses wherein the command is to control a feature of the server system, and the command is protected by the secure protocol [0037] The network/system administrator has a terminal (100) communicating with the proxy gateway (300) (or “administration gateway”) by means of a connection (200) according to a protocol, for example, SSH (“secure shell”) or RDP (“remote desktop protocol”)], and [ 0077-0078 …in the case where the user has selected a specific application, it proceeds with the execution thereof, either directly or by means of a specialist computer code. This code requests of the gateway the identifier of the account of the application as well as the authentication data associated with this account. The computer code then transmits this information to the application in order to control the execution of the application].
Regarding claim 10, Zhou discloses, wherein the instructions upon execution cause the intermediary device to: update an audit log by adding information relating to the command to the audit log, wherein the audit log comprises information of commands processed at the inline authentication and authorization service in the intermediary device [0039-0040 , 0051, 0064-0077].
Regarding claim 11, Zhou discloses, wherein the command enforcement policy information specifies one or more conditions under which respective commands are allowed [0040-0043] The gateway (300) comprises a database (302) in which the identifiers of the authorized users are recorded, as well as the associated rights, defining the targets (accounts and equipment) on which the user is entitled to act. At the time of connection, two methods for selecting the resource are possible: according to the first method, the user, at the time of the connection, specifies the target that the user wishes to access. In this case, the gateway checks whether the user identified by the user's identifier has necessary authorizations for accessing this target, according to the information recorded in the database (302). According to the second method, the gateway transmits to the user the list of targets corresponding to the data recorded in the database (302) in relation to the transmitted identifier, to enable the user to select one of the targets proposed].
Regarding claim 12, Zhou discloses, wherein the one or more conditions comprise a condition based on ownership information indicating an owner or manager of the client device[0040-0043] The gateway (300) comprises a database (302) in which the identifiers of the authorized users are recorded, as well as the associated rights, defining the targets (accounts and equipment) on which the user is entitled to act. At the time of connection, two methods for selecting the resource are possible: according to the first method, the user, at the time of the connection, specifies the target that the user wishes to access. In this case, the gateway checks whether the user identified by the user's identifier has necessary authorizations for accessing this target, according to the information recorded in the database (302). According to the second method, the gateway transmits to the user the list of targets corresponding to the data recorded in the database (302) in relation to the transmitted identifier, to enable the user to select one of the targets proposed].
Regarding claim 14, Zhou discloses, wherein the one or more conditions comprise a condition based on a rate of commands received from the client device [0026] Preferably, the gateway comprises means for calculating a balance of the charges according to the number of connections already opened to each of the servers, and selection of the least busy server for the new request.
Regarding claim 15, Zhou discloses, wherein the one or more conditions comprise a condition based on a quantity of server systems to which the client device is connected [0026] Preferably, the gateway comprises means for calculating a balance of the charges according to the number of connections already opened to each of the servers, and selection of the least busy server for the new request.
Regarding claims 16, and 19, the subject matter of independent claims 16, and 19 contains the corresponding features as the method of claim 1 expressed respectively in analogous terms and additionally the features disclosed in 16, and 19: Zhou discloses based on determining that the command is authorized according to the command enforcement policy information, cause sending, from the intermediary device, of the command to the server system for execution at the server system [ see Figs 1-2 and corresponding text for more details, [0036-0044, 0064-0071].
Regarding claim 17 Zhou discloses wherein the intermediary device behaves as a server to the client device, and the intermediary device behaves as a client to the server system. [ see Figs 1-2 and corresponding text for more details, [0036-0044, 0064-0071].
Regarding claim 18, Zhou discloses, wherein the instructions are executable on the hardware processor to: receive, at the inline authentication and authorization service from a client device, an authentication request; and based on receiving the authentication request, perform an authentication procedure between the client device and the intermediary device to authenticate the client device, wherein the command from the client device is transmitted by the client device after the authenticating of the client device. [ see Figs 1-2 and corresponding text for more details, [0036-0044, 0064-0071].
Regarding claim 20 Zhou discloses wherein the command is an administrative command to control a feature of the server system. [0037] The network/system administrator has a terminal (100) communicating with the proxy gateway (300) (or “administration gateway”) by means of a connection (200) according to a protocol, for example, SSH (“secure shell”) or RDP (“remote desktop protocol”)], and [ 0077-0078 …in the case where the user has selected a specific application, it proceeds with the execution thereof, either directly or by means of a specialist computer code. This code requests of the gateway the identifier of the account of the application as well as the authentication data associated with this account. The computer code then transmits this information to the application in order to control the execution of the application].
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 5-6, 9, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No US2018/0248849), (US2016/0085955) issued to Zhou and in view of US Patent No. (US2017/0187733) issued to Ahn.
Regarding claim 5, Zhou does not explicitly disclose, however, Ahn discloses , wherein the command received at the intermediary device from the client device is in an encrypted form, and wherein the instructions upon execution cause the intermediary device to [0025] At step #9, rule gate 120 may route the packets comprising the data configured to establish the connection between hosts 106 and 142 to proxy device 112 and, at step #10, may communicate the packets to proxy device 112. For example, rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on data in the packets, for example, one or more ports (e.g., port 443) indicated by transport-layer headers in the packets, indicating the connection between hosts 106 and 142 will be utilized to establish an encrypted communication session or tunnel (e.g., a session established in accordance with the transport layer security (TLS) protocol, secure sockets layer (SSL) protocol, secure shell (SSH) protocol, or the like). In some embodiments, rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on a determination that one or more of hosts 106 or 142 is associated with a network address for which rules 212 indicate encrypted communications should be established via one or more of proxy devices 112, 114, or 116. For example, proxy devices 112, 114, and 116 may be part of a proxy system (e.g., a SSL/TLS proxy system) that enables packet-filtering system 200 to filter packets comprising encrypted data based on information within the encrypted data, and rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on a determination that host 142 is associated with a network address of a domain corresponding to the network-threat indicators]; and
decrypt the command to produce a decrypted command, wherein the authorizing is performed with respect to the decrypted command[0037] Proxy device 112 may receive the packets and decrypt the data in accordance with the parameters of session 306. The packets may comprise a request (e.g., a hypertext transfer protocol (HTTP) request), and proxy device 112 may comprise an ICAP client, which, at step #20, may communicate the packets to ICAP server 132…]; and
and based on the authorizing of the decrypted command, re-encrypt the decrypted command to produce an encrypted command; and cause sending of the encrypted command from the intermediary device to the server system[0035] Similarly, at step #18, proxy device 114 and host 142 may communicate packets comprising data configured to establish encrypted communication session 308 (e.g., a SSL/TLS session) between proxy device 114 and host 142 via connection 304,
[0041] Proxy device 114 may receive the packets and generate one or more corresponding packets comprising data encrypted in accordance with one or more parameters of session 308 and, at step #23, may communicate the packets to host 142.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Zhou by incorporating “A packet-filtering system rules ”, as taught by Ahn. One could have been motivated to do so in order to apply packet-filtering rule gate 120 which route the packets comprising the data configured to establish the connection between hosts 106 and 142 to proxy device 112 and, at step #10, may communicate the packets to proxy device 112. For example, rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on data in the packets, for example, one or more ports (e.g., port 443) indicated by transport-layer headers in the packets, indicating the connection between hosts 106 and 142 will be utilized to establish an encrypted communication session or tunnel (e.g., a session established in accordance with the transport layer security (TLS) protocol, secure sockets layer (SSL) protocol, secure shell (SSH) protocol, or the like) [ Ahn, Abstract, 0025].
Regarding claim 6, Zhou does not explicitly disclose, however, Ahn discloses, wherein the instructions upon execution cause the intermediary device to: establish a first session between the intermediary device and the client device, wherein the command in the encrypted form is received from the client device in the first session [0025] At step #9, rule gate 120 may route the packets comprising the data configured to establish the connection between hosts 106 and 142 to proxy device 112 and, at step #10, may communicate the packets to proxy device 112. For example, rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on data in the packets, for example, one or more ports (e.g., port 443) indicated by transport-layer headers in the packets, indicating the connection between hosts 106 and 142 will be utilized to establish an encrypted communication session or tunnel (e.g., a session established in accordance with the transport layer security (TLS) protocol, secure sockets layer (SSL) protocol, secure shell (SSH) protocol, or the like). In some embodiments, rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on a determination that one or more of hosts 106 or 142 is associated with a network address for which rules 212 indicate encrypted communications should be established via one or more of proxy devices 112, 114, or 116. For example, proxy devices 112, 114, and 116 may be part of a proxy system (e.g., a SSL/TLS proxy system) that enables packet-filtering system 200 to filter packets comprising encrypted data based on information within the encrypted data, and rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on a determination that host 142 is associated with a network address of a domain corresponding to the network-threat indicators], and [0070]; and
and establish a second session between the intermediary device and the server system, wherein the sending of the encrypted command from the intermediary device to the server system occurs in the second session[0035] Similarly, at step #18, proxy device 114 and host 142 may communicate packets comprising data configured to establish encrypted communication session 308 (e.g., a SSL/TLS session) between proxy device 114 and host 142 via connection 304]. And [0041] Proxy device 114 may receive the packets and generate one or more corresponding packets comprising data encrypted in accordance with one or more parameters of session 308 and, at step #23, may communicate the packets to host 142.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Zhou by incorporating “A packet-filtering system rules ”, as taught by Ahn. One could have been motivated to do so in order to apply packet-filtering rule gate 120 which route the packets comprising the data configured to establish the connection between hosts 106 and 142 to proxy device 112 and, at step #10, may communicate the packets to proxy device 112. For example, rules 212 may be configured to cause rule gate 120 to route the packets to proxy device 112 based on data in the packets, for example, one or more ports (e.g., port 443) indicated by transport-layer headers in the packets, indicating the connection between hosts 106 and 142 will be utilized to establish an encrypted communication session or tunnel (e.g., a session established in accordance with the transport layer security (TLS) protocol, secure sockets layer (SSL) protocol, secure shell (SSH) protocol, or the like) [ Ahn, Abstract, 0025].
Regarding claim 9, Zhou does not explicitly disclose, however, Ahn discloses, wherein the intermediary device is in a cloud computing environment [ 0012-0013] Referring to FIG. 1, environment 100 may include networks 102 and 104. Network 102 may comprise one or more networks (e.g., Local Area Networks (LANs), Wide Area Networks (WANs), Virtual Private Networks (VPNs), or combinations thereof) associated with one or more individuals or entities (e.g., governments, corporations, service providers, or other organizations). Network 104 may comprise one or more networks (e.g., LANs, WANs, VPNs, or combinations thereof) that interface network 102 with one or more other networks (not illustrated). For example, network 104 may comprise the Internet, a similar network, or portions thereof. Environment 100 may also include one or more hosts, such as computing or network devices (e.g., servers, desktop computers, laptop computers, tablet computers, mobile devices, smartphones, routers, gateways, firewalls, switches, access points, or the like). For example, network 102 may include hosts 106, 108, and 110, proxy devices 112, 114, and 116, web proxy 118, rule gates 120, 122, 124, 126, and 128, domain name system (DNS) 130, Internet content adaptation protocol (ICAP) server 132, and gateway 134. As used herein, “host” (or “hosts”) refers to any type of network device (or node) or computing device].
Regarding claim 13, Zhou does not explicitly disclose, however, Ahn discloses, wherein the one or more conditions comprise a condition based on information of a malware protection program of the client device [0001] Network security is becoming increasingly important as the information age continues to unfold. Network threats may take a variety of forms (e.g., unauthorized requests or data transfers, viruses, malware, large volumes of traffic designed to overwhelm resources, and the like). Network-threat services provide information associated with network threats, for example, reports that include listings of network-threat indicators (e.g., network addresses, domain names, uniform resource identifiers (URIs), and the like). Such information may be utilized to identify network threats], and [0018] Referring to FIG. 3A, at step #1, threat-intelligence providers 140 may communicate one or more threat-intelligence reports to rule providers 138. The threat-intelligence reports may include one or more network-threat indicators, for example, domain names (e.g., fully qualified domain names (FQDNs)), URIs, network addresses, or the like. At step #2, rule providers 138 may utilize the threat-intelligence reports to generate one or more packet-filtering rules configured to identify packets comprising data corresponding to the network-threat indicators. At step #3, rule providers 138 may communicate the packet-filtering rules to rule gate 120. As indicated by the crosshatched boxes over the lines extending downward from network 104, rule gate 128, and gateway 134, the packet-filtering rules may traverse network 104, rule gate 128, and gateway 134. For example, network 104 and gateway 134 may interface rule providers 138 and rule gate 120, and rule gate 128 may interface a communication link interfacing network 104 and gateway 134. Rule gate 120 may receive the packet-filtering rules generated by rule providers 138 and, at step #4, may utilize the received packet-filtering rules to configure rules 212 to cause packet-filtering system 200 to identify packets comprising data corresponding to at least one of the plurality of network-threat indicators].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Zhou by incorporating “A packet-filtering system ”, as taught by Ahn. One could have been motivated to do so in order to configure the filter packets in accordance with packet-filtering rules which receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators. [ Ahn, Abstract].
Claims 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No US2018/0248849), (US2016/0085955) issued to Zhou and in view of US Patent No. ( US2018/0191725) issued to Luukkala.
Regarding claim 7, Zhou does not explicitly disclose, however, Luukkala discloses, wherein the instructions upon execution cause the intermediary device to: authenticate, by the inline authentication and authorization service, the client device using a certificate of the client device [0202-0204] The intermediate monitoring device 120 comprises appropriate interface apparatus for communication with the various other entities. In the example interface 122 is for communications with the user device 111. When the user initiates access, using his user terminal device 111, to a target host, instead of accessing directly the target host, the user access first the intermediate device 120. The access to the device 120 can be handled by a client 112 provided at the user device 111 and configured to communicate with a client or server 121 provided at the intermediate device 120. Communications 116 between the intermediate device 120 and the hosts can be handled via interface 123. The communications can be based on an authenticator obtained from the security device 125… , the security device may be provided within the intermediate node or as a therein integrated component, and thus the interface between the intermediate device 120 and the security device may be an internal interface within device 120. An agent 127 for communication towards the security device 125 may also be provided in some examples. The agent can be configured to implement a SSH agent protocol, communicate e.g. with the CA, obtain user authentication information, and take care of the user authentication authenticators, for example keypairs. The intermediate device 120 terminates the session of the user and may authenticate the user based on an auditor policy. The intermediate device can embed a CA client functionality and use the CA client to sign the public key of the user with the CA. The CA can verify the user authentication information with the system of record. CA can also resolve the user principals with the system of record. CA creates the certificate containing the user public key and other attributes, for example the principals, and signs the resulting certificate with its private key. Crypto auditor device uses the certificate in the authentication together with the corresponding private key. The target server then verifies the certificate of the user. The target server verifies that the user principals can be used to log in to the requested system account], and [Abstract, 0031, 0039, 0210].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Zhou by incorporating “ access control relationships between entities”, as taught by Luukkala. One could have been motivated to do so in order to implement a chain of access relationships from a first entity via at least one intermediate entity to a second entity , where the source entity is permitted to access the destination entity. The permission may be based on appropriate security credentials such as keys, certificates and so on. [ Luukkala, Abstract, 0031, 0039, 0210].
Regarding claim 8, Zhou discloses, wherein the authenticating of the client device and the authorizing of the command are performed without any involvement of the server system.[0040-0043] The gateway (300) comprises a database (302) in which the identifiers of the authorized users are recorded, as well as the associated rights, defining the targets (accounts and equipment) on which the user is entitled to act. At the time of connection, two methods for selecting the resource are possible: according to the first method, the user, at the time of the connection, specifies the target that the user wishes to access. In this case, the gateway checks whether the user identified by the user's identifier has necessary authorizations for accessing this target, according to the information recorded in the database (302). according to the second method, the gateway transmits to the user the list of targets corresponding to the data recorded in the database (302) in relation to the transmitted identifier, to enable the user to select one of the targets proposed], and [0064-0076].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
See 892 for more relevant references.
Hayton ( US2015/0319174) [ [0001] Aspects described herein generally relate to authentication of client devices within enterprise systems. More specifically, certain aspects herein provide techniques to authenticate and authorize client devices in enterprise systems via a gateway device].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHAHRIAR ZARRINEH/Primary Examiner, Art Unit 2496