DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) are rejected under 103, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant argued in the remark that even if the cited art were combined, there is no teaching or suggestion of:
i. bundling validated zero knowledge proof results, together with
ii. the negotiated protocol parameters, into
iii. a single notarization certificate whose defining characteristic is that it is disclosure free with respect to proprietary implementation details.
iv. Traditional notarization certificates merely attest to events or signatures. The claimed certificate is fundamentally different: it is a cryptographically verifiable compliance artifact derived from negotiated zero knowledge protocols.
It is not clear the above argument. The best examiner can see that bundling the software certificate and authentication parameters. Leblanc discloses 0028] According to embodiments, the method for signing a software image for use during computing device booting also includes computing a secure hash of the signed software image and submitting the hash to a time stamp authority (TSA) in order to acquire a first time stamp (TS1) 260. Subsequently, the CSR is submitted 270 to an intermediate certification authority (CA) and acquires 280 a time stamped signing certificate which has a second time stamp (TS2). Subsequently, the software image, software image certificate, TS1 and the certificate authentication chain are bundled. According to embodiments, the certificate authentication chain includes the signed certificate including TS2, the intermediate CA certificate (e,g, time stamped signing certificate) and the root CA certificate. This bundle is subsequently deployed for using during the start up or booting of a computing device. Par 0032 a third check is to determine if TS1 is less than TS2 330. If TS1 is greater or equal to TS2, then the booting of the computing device is aborted. As defined above with respect to the method for signing a software image for use during computing device booting, TS1 is requested before TS2. As such TS2 must always be newer than TS1. For example, if TS1 is greater than TS2, it is a sign that TS1 was captured during its existence and was used to sign another software image. According to embodiments, this third check can ensure that the window of exploitation for a malicious actor to steal the signing keys is limited to the interval between the provision of TS1 and TS2.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1,4,6,8,11,13,15,18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chodroff et al US 2024/0086503 and Allen et al US 2020/0028945 in view of Leblanc US 2018/0285570.
As per claim 1, Chodroff discloses A computer-implemented method to generate a disclosure-free notarization certificate for a software artifact performed on a processor circuit including one or more processors, a bus, and a memory, the computer-implemented method comprising:
defining a plurality of protocol parameters to utilize during notarization, the plurality of protocol parameters including a zero-knowledge proof algorithm configured to verify correctness of the software artifact without revealing internal details thereof ([0053] Encryption module 210 may be configured to generate a hashed representation of the verification document. For example, encryption module 210 may utilize a hash function, such that a zero-knowledge proof may be employed to verify that the verification document is correct, without disclosing the exact details. It can be seen as the document is a software and it has been hashed by the hash function, wherein the hash function is equal to the Zero-Knowledge proof to verify the document without disclosing the exact details of the document software);
Chodroff does not disclose negotiating, with a software vendor, the plurality of protocol parameters to obtain negotiated protocol parameters, the negotiating comprising performing a multi- round exchange including:
proposing a first zero-knowledge proof algorithm receiving vendor feedback, and selecting a second zero-knowledge proof algorithm and related security constraints based on the vendor feedback;
receiving at least one proof result from the software vendor, the at least one proof result generated using the zero-knowledge proof algorithm, the proof result providing compliance of the software artifact with the security constraints and the negotiated protocol parameters;
validating, by applying the zero-knowledge proof algorithm, the at least one proof result according to a verifier-side execution of the negotiated protocol parameters, and requesting an updated proof result from the software vendor in response to a verification failure; and
bundling, by a certificate-generation module, the at least one proof result after validation to generate the disclosure-free notarization certificate, wherein the disclosure-free notarization certificate that include the protocol parameters and confirms security or compliance properties of the software artifact without exposing proprietary or sensitive implementation details.
However, Allen et al US 2020/0028945 disclose negotiating, with a software vendor, the plurality of protocol parameters to obtain negotiated protocol parameters (0041 a zero-knowledge protocol, sometimes referred to as a zero-knowledge proof, is employed. A zero-knowledge protocol is a method of exchanging information in which knowledge K is provided by a first party (the “prover”) is verified by a second party (the “verifier”), and in which no information other than the fact that the provider is in possession of knowledge K. In an embodiment, each entity is a prover in a first application of a zero-knowledge protocol and a verifier in a second application of a zero-knowledge protocol), the negotiating comprising performing a multi- round exchange including:
proposing a first zero-knowledge proof algorithm receiving vendor feedback, and selecting a second zero-knowledge proof algorithm and related security constraints based on the vendor feedback (0044 discloses following application of one or more zero-knowledge proofs, the negotiation on process continues by exchanging information about available services, and invoking one or more of the available services. This process may repeat, depending on the outcome of each service invocation, to permit further services to be exposed);
receiving at least one proof result from the software vendor, the at least one proof result generated using the zero-knowledge proof algorithm, the proof result providing compliance of the software artifact with the security constraints and the negotiated protocol parameters (0041 a zero-knowledge protocol, sometimes referred to as a zero-knowledge proof, is employed. A zero-knowledge protocol is a method of exchanging information in which knowledge K is provided by a first party (the “prover”) is verified by a second party (the “verifier”), and in which no information other than the fact that the provider is in possession of knowledge K. In an embodiment, each entity is a prover in a first application of a zero-knowledge protocol and a verifier in a second application of a zero-knowledge protocol); receiving vendor feedback as to whether the software vendor accepts the first zero-knowledge proof algorithm (0041 a zero-knowledge protocol, sometimes referred to as a zero-knowledge proof, is employed. A zero-knowledge protocol is a method of exchanging information in which knowledge K is provided by a first party (the “prover”)).
validating, by applying the zero-knowledge proof algorithm, the at least one proof result according to a verifier-side execution of the negotiated protocol parameters, and requesting an updated proof result from the software vendor in response to a verification failure (0041 a zero-knowledge protocol, sometimes referred to as a zero-knowledge proof, is employed. A zero-knowledge protocol is a method of exchanging information in which knowledge K is provided by a first party (the “prover”) is verified by a second party (the “verifier”), and in which no information other than the fact that the provider is in possession of knowledge K. In an embodiment, each entity is a prover in a first application of a zero-knowledge protocol and a verifier in a second application of a zero-knowledge protocol. 0044 discloses following application of one or more zero-knowledge proofs, the negotiation on process continues by exchanging information about available services, and invoking one or more of the available services. This process may repeat, depending on the outcome of each service invocation, to permit further services to be exposed).
Chodroff and Allen are both considered to be analogous to the claimed invention because they are in the same field of Zero-knowledge proof.
Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chodroff to incorporate the teachings of Allen and provide zero-knowledge proof of the documents. Doing so would provide a negotiation of selecting the signing algorithm, thereby increasing the improvement of the document authenticity.
The combination fails to disclose bundling, by a certificate-generation module, the at least one proof result after validation to generate the disclosure-free notarization certificate, wherein the disclosure-free notarization certificate that include the protocol parameters and confirms security or compliance properties of the software artifact without exposing proprietary or sensitive implementation details.
However, Leblanc discloses wherein the software artifact comprises software code suitable of being partitioned into blocks for cryptographic proof operations (0029 the software image signature with the certificate, TS1, TS2, chain wherein the chin includes the blocks of the software image certificates ); bundling, by a certificate-generation module, the at least one proof result after validation to generate the disclosure-free notarization certificate, wherein the disclosure-free notarization certificate that include the protocol parameters and confirms security or compliance properties of the software artifact without exposing proprietary or sensitive implementation details (0028, software image certificate , TS1 and the certificate authentication chain are bundled and the chain includes the signed certificate TS2, i.e. confirm security or compliance properties ).
Chodroff and Allen and Leblanc are both considered to be analogous to the claimed invention because they are in the same field of Zero-knowledge proof.
Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chodroff to incorporate the teachings of Allen, including the teaching of Leblanc and provide zero-knowledge proof of the documents. Doing so would provide a negotiation of selecting the signing algorithm, thereby increasing the improvement of the document authenticity.
As per claim 4. Chodroff and Allen and Leblanc disclose The method as in claim 1, Allen discloses wherein a proof result is associated with a portion of the software artifact ( [0158] The one or more application servers 1308 can include any appropriate hardware, software and firmware for integrating with the data storage 1310 as needed to execute aspects of one or more applications for the electronic client device 1302,).
As per claim 6. Chodroff and Allen and Leblanc disclose the method as in claim 1, Allen discloses wherein validating the at least one proof result includes: applying the proof algorithm to analyze the at least one proof result (0044 the first and second entities each advertise a credential service through which validation credentials may be exchange. The service is provided after an initial zero-knowledge proof of each entity's willingness and ability to participate in a negotiation process. After the zero-knowledge proof, each entity may invoke the other's respective service to obtain credentials, and validate the credentials through a third-party validation service. Upon completion of this process, a further set of services is advertised and invoked. For example, a device of the first entity (e.g., the individual's mobile phone) might advertise the individual's preferences, and a device of the second entity (e.g., a computing device at the location) might advertise a service which can customize the individual's experience at the location, a service which can provide information about the location).
As per claim 8, this claim is rejected based on the same rational set forth in the claim 1.
As per claim 11. this claim is rejected based on the same rational set forth in the claim 4.
As per clam 13. this claim is rejected based on the same rational set forth in the claim 6.
As per claim 15, this claim is rejected based on the same rational set forth in the claim 1.
As per claim 18. this claim is rejected based on the same rational set forth in the claim 6.
As per claim 20. this claim is rejected based on the same rational set forth in the claim 4.
Allowable Subject Matter
Claims 5, and 12 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form (all independent claims) including all of the limitations of the base claim and any intervening claims.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496
Prosecution Insights