Prosecution Insights
Last updated: July 17, 2026
Application No. 18/576,042

ESTABLISHING A TRUST RELATIONSHIP BETWEEN AN APPLICATION ENTITY AND A WIRELESS COMMUNICATION NETWORK

Final Rejection §103§112
Filed
Jan 02, 2024
Priority
Jul 02, 2021 — GR 20210100453 +2 more
Examiner
WRIGHT, BRYAN F
Art Unit
2497
Tech Center
2400 — Computer Networks
Assignee
Lenovo (United States) Inc.
OA Round
2 (Final)
78%
Grant Probability
Favorable
3-4
OA Rounds
7m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
638 granted / 815 resolved
+20.3% vs TC avg
Strong +24% interview lift
Without
With
+24.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 2m
Avg Prosecution
20 currently pending
Career history
839
Total Applications
across all art units

Statute-Specific Performance

§101
3.7%
-36.3% vs TC avg
§103
83.1%
+43.1% vs TC avg
§102
6.8%
-33.2% vs TC avg
§112
2.6%
-37.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 815 resolved cases

Office Action

§103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. FINAL ACTION This action is in response to applicant’s amendments submitted on 03/12/2026. Claims 1-20 are amended. Claims 1-20 are pending. Response to Arguments Examiner’s Remarks - Claim Objections The examiner withdraws the claim objection with regards to, “such that”, in view of applicant’s claim amendment(s). The examiner withdraws the claim objection with regards to, “processor”, in view of applicant’s claim amendment(s). Examiner’s Remarks - - 35 USC § 103 – Independent claims 1 and 16 The applicant has amended independent claims 1 and 16 to include the new feature(s) of, “wherein the at least one verifiable parameter comprises a credential generated by the first network function and provided to the application entity for authentication of the application entity by the second network function”. In view of the new claim amendment(s) the examiner introduces the teachings of prior art reference Guo et al. (US Patent No. 12,382,284) to the record. The examiner contends that Guo teaches credential based authentication. See rejection below. Examiner’s Remarks - - 35 USC § 103 – Independent claims 9 and 12 The applicant has amended independent claims 9 and 12 to include the new feature(s) of, “wherein the CCA token generated by the first network function is used for authentication of the application entity by the second network function” and “wherein the CCA token of the first network function is used for authentication of the application entity by the third network function”. In view of the new claim amendment(s) the examiner introduces the teachings of prior art reference Guo et al. (US Patent No. 12,382,284) to the record. The examiner contends that Guo teaches credential based authentication. See rejection below. Claim Objections Claims 1-15 are objected to because of the following informalities: “equipment”. The examiner recommends that the applicant replace “equipment” with “device or apparatus”. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1 and 16 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The examiner contends that the applicant’s newly amended feature(s) of, “wherein the CCA token generated by the first network function is used for authentication of the application entity by the second network function”, lacks support from original disclosure. The examiner notes applicant’s paragraph 0155 the following: “[0149] In various embodiments, the network apparatus 600 is a middleware, MnS, or a CP, described above. In such embodiments, the processor 605 generates, at a first network function, a client credential assertion (“CCA”) token for the first network function. [0150] In one embodiment, a transceiver 625 sends, from the first network function, an authentication request to a second network function for authenticating an application entity. In some embodiments, a transceiver 625 receives, at the first network function from the second network function, a response to the authentication request comprising a network address identifier (“NAI”) for the second network function.[0151] In one embodiment, a transceiver 625 sends, from the first network function to the application entity, the response to the authentication request comprising the NAI for the second network function and the CCA token of the first network function for establishing a security association between the application entity and the second network function.”. It would appear that both a network address identifier and a CCA token are required establishes a security association between application entity and second network function. Claim 9 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The examiner contends that the applicant’s newly amended feature(s) of, “wherein the CCA token generated by the first network function is used for authentication of the application entity by the second network function”, lacks support from original disclosure. The examiner notes applicant’s paragraph 0155 the following: “[0149] In various embodiments, the network apparatus 600 is a middleware, MnS, or a CP, described above. In such embodiments, the processor 605 generates, at a first network function, a client credential assertion (“CCA”) token for the first network function. [0150] In one embodiment, a transceiver 625 sends, from the first network function, an authentication request to a second network function for authenticating an application entity. In some embodiments, a transceiver 625 receives, at the first network function from the second network function, a response to the authentication request comprising a network address identifier (“NAI”) for the second network function.[0151] In one embodiment, a transceiver 625 sends, from the first network function to the application entity, the response to the authentication request comprising the NAI for the second network function and the CCA token of the first network function for establishing a security association between the application entity and the second network function.”. It would appear that both a network address identifier and a CCA token are required to establish a security association between application entity and second network function. Claim 12 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The examiner contends that the applicant’s newly amended feature(s) of, “wherein the CCA token of the first network function is used for authentication of the application entity by the third network function”, lacks support from original disclosure. The examiner notes applicant’s specification discloses the following: “[0158] In one embodiment, a processor 605 generates, at the first network function, a second secret token at the first network function and sending the second secret token to the third network function for use in authenticating the application entity with the third network function. [0159] In one embodiment, a transceiver 625 sends, from the first network function, the second secret token to the application entity for use in authenticating the application entity with the third network function.”. It would appear that a second secret token is generated with regards to authenticating the application entity with the third network function. In par. 00178 the applicant states the following: “the second management message comprising an application entity identifier, an application identifier, and the CCA token of the first network function and receiving, from the second network function, a second secret token, an NAI of a third network function, and a CCA token associated with the second network function in response to the CCA token associated with the first network function being verified.”. It would appear that the CCA token is not the same second secret token being generated to authenticate the application entity to the third network function. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 2 and 7-17 are rejected under 35 U.S.C. 103 as being unpatentable over Chang et al. (US Patent Publication No. 2015/0074395 and Chang hereinafter) in view of TRAN (US Patent Publication No. 2018/0219863) and further in view of Guo et al. (US Patent No. 12,382,284 and Guo hereinafter). As to claims 1 and 16, Chang teaches a network equipment (NE) for wireless communication, comprising: at least one memory (i.e., …teaches in par. 0005 the following: “The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors.”); and at least one processor coupled with the at least one memory and configured to cause the NE to (i.e., …teaches in par. 0005 the following: “The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors.”): send, from an application entity, a request to a first network function to authenticate the application entity to a second network function that does not have a trust relationship with the application entity (i.e., …teaches in par. 0032 the following: “To establish the trust relationship, administrator 308 of device 302 initiates a registration request to register the one or more applications with the one or more resources via a user interface (UI) to trust relationship establishment mechanism 306. Administrator 308 may then submit the registration request and, by sending the registration request via trust relationship establishment mechanism 306, trust relationship establishment mechanism 306 may send the registration request to trust relationship establishment mechanism 316 as an authorized registration request. Those skilled in the art will recognize that trust relationship establishment mechanism 306 may send additional credential data in the registration request to trust relationship establishment mechanism 316 to enable trust relationship establishment mechanism 316 to validate authenticity of subsequent request in a next trust establishment operation.”), the request comprising at least one verifiable parameter for authenticating the application entity (i.e., …teaches in par. 0032 the following: “may include in the registration request one or more registration artifacts, such as a redirection uniform resource identifier (URI), a requested scope that identifies a role of the requesting one or more applications, a local state of device 302, an identifier representing the administrator 308, a public key or certificate for the one or more applications, any additional authentication data associated with the application or the user of the application, the one or more resources to be accessed, or the like.”); receive a result of the authentication from at least one of the first and second network functions (i.e., …teaches in par. 0035 the following: “If trust relationship establishment mechanism 316 verifies that the redirection URI included with the access token request is the same as the redirection URI provided with the registration request, the trust relationship establishment mechanism 316 sends an access token back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316.”); and a processor that establish a trust relationship between the application entity and the second network function wherein the application entity can communicate with the second network function in response to the application entity being authenticated (i.e., …teaches in par. 0035 the following: “the access token may be used by resource-side system to grant application side devices and users authorized access to resource side resources.”). Chang does not expressly the first network function having a trust relationship with the application entity and the second network function. In this instance the examiner notes the teachings of prior art reference Tran. TRAN teaches in par. 0020 the following: “The service registry 106 can authenticate the registration requests using the pre-established trust relationship. The system 100 creates the trust relationship by binding each of the first application 108, the second application 110 and the third application 112 to a service instance of the service registry…”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Chang with the teachings of TRAN by having their system comprise an enhanced application security process. One would have been motivated to do so to provide a simple and effective means to configure application security, wherein the enhanced application security process helps to prevent unauthorized applications in the network and makes it easier to ensure network system security. The system of Chang and TRAN does not expressly teach: wherein the at least one verifiable parameter comprises a credential generated by the first network function and provided to the application entity for authentication of the application entity by the second network function. In this instance the examiner notes the teachings of prior art reference Guo. Guo teaches as part of his claim 1 limitation element(s) the following: “generating a first credential based on a second credential, the second credential generated for a primary authentication procedure between the UE and a cellular network, wherein the second credential is an Authentication Server Function (AUSF) key (K.sub.AUSF); generating an identifier corresponding to the first credential, said identifier uniquely identifying the first credential; calculating a multi-access edge computing (MEC) authorization parameter using the first credential and a second identifier, the second identifier being a globally unique value associated with an edge enabler client (EEC) running on the UE; transmitting an application registration request message to a server associated with an edge data network, the application registration request message including the second identifier, the second identifier corresponding to the first credential and the MEC authorization parameter; and receiving an authentication accept message or an authentication reject message from the server associated with the edge data network, wherein the authentication accept message or the authentication rejection message is based on a validation of the MEC authorization parameter.”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Chang and TRAN with the teachings of Guo by having their system comprise an enhanced access security process. One would have been motivated to do so to provide a simple and effective means to control communication access within a network, wherein the enhanced access security process helps to prevent unauthorized access within the network and makes it easier to ensure access control. As to claims 2 and 17, the system of Chang, Tran and Guo as applied to claim 1 above teaches trust relationship, specifically Chang teaches a NE of claim 1, wherein the at least one processor is configured to cause the NE to receive, from the first network function, a network address identifier ("NAI") of the second network function (i.e., …teaches in par. 0032 the following: “To establish the trust relationship, administrator 308 of device 302 initiates a registration request to register the one or more applications with the one or more resources via a user interface (UI) to trust relationship establishment mechanism 306. Administrator 308 may include in the registration request one or more registration artifacts, such as a redirection uniform resource identifier (URI), a requested scope that identifies a role of the requesting one or more applications, a local state of device 302, an identifier representing the administrator 308, a public key or certificate for the one or more applications, any additional authentication data associated with the application or the user of the application, the one or more resources to be accessed, or the like.”), and a client credential assertion ("CCA") token associated with the first network function (i.e., …teaches in par. 0032 the following: “To establish the trust relationship, administrator 308 of device 302 initiates a registration request to register the one or more applications with the one or more resources via a user interface (UI) to trust relationship establishment mechanism 306. Administrator 308 may include in the registration request one or more registration artifacts, such as a redirection uniform resource identifier (URI), a requested scope that identifies a role of the requesting one or more applications, a local state of device 302, an identifier representing the administrator 308, a public key or certificate for the one or more applications, any additional authentication data associated with the application or the user of the application, the one or more resources to be accessed, or the like.”). As to claim 7, the system of Chang, Tran and Guo as applied to claim 1 above teaches trust relationship, specifically Chang teaches a NE of claim 1, wherein the at least one processor is configured to cause the NE to determine application entity information for the application entity, the application entity information comprising at least one of an application entity identifier, an application identifier, and management information for authenticating the application entity with a mobile wireless communication network (i.e., …teaches in par. 0003 the following: “an authorization code and a symmetric key”). As to claim 8, the system Chang, Tran and Guo as applied to claim 7 above teaches trust relationship, specifically Chang teaches a NE of claim 7, wherein the management information comprises a service description associated with the application entity (i.e., …teaches in par. 0032 the following: “scope that identifies a role of the requesting one or more applications” …teaches in par. 0032 the following: “any additional authentication data associated with the application”.), the service description translated into a slice blueprint at the second network function to derive an application identifier (i.e., …teaches in par. 0032 the following: “scope that identifies a role of the requesting one or more applications” …teaches in par. 0034 the following: “verifiable authentication data,”.). As to claim 9, Chang teaches a network equipment (NE) for wireless communication, comprising: at least one memory (i.e., …teaches in par. 0005 the following: “The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors. The memory may comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment”); and at least one processor coupled with the at least one memory and configured to cause the NE to (i.e., …teaches in par. 0005 the following: “The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors. The memory may comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment”): generate, at a first network function, a client credential assertion ("CCA") token for the first network function (i.e., …teaches in par. 0032 the following: “…device 302 initiates a registration request to register the one or more applications with the one or more resources via a user interface (UI) to trust relationship establishment mechanism 306. Administrator 308 may include in the registration request one or more registration artifacts, such as a redirection uniform resource identifier (URI), a requested scope that identifies a role of the requesting one or more applications, a local state of device 302, an identifier representing the administrator 308, a public key or certificate for the one or more applications, any additional authentication data associated with the application or the user of the application, the one or more resources to be accessed, or the like.”); send from the first network function, an authentication request to a second network function for authenticating an application entity (i.e., …teaches in par. 0032 the following: “then submit the registration request and, by sending the registration request via trust relationship establishment mechanism 306, trust relationship establishment mechanism 306 may send the registration request to trust relationship establishment mechanism 316 as an authorized registration request.”), the authentication request comprising the CCA token of the first network function (i.e., …teaches in par. 0032 the following: “…device 302 initiates a registration request to register the one or more applications with the one or more resources via a user interface (UI) to trust relationship establishment mechanism 306. Administrator 308 may include in the registration request one or more registration artifacts, such as a redirection uniform resource identifier (URI), a requested scope that identifies a role of the requesting one or more applications, a local state of device 302, an identifier representing the administrator 308, a public key or certificate for the one or more applications, any additional authentication data associated with the application or the user of the application, the one or more resources to be accessed, or the like.”), receive, at the first network function from the second network function, a response to the authentication request comprising a network address identifier ("NAI") for the second network function (i.e., …teaches in par. 0033 the following: “response back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316 using the redirection URI provided by the trust relationship establishment mechanism 306.”); and send, from the first network function to the application entity, the response to the authentication request comprising the NAI for the second network function and the CCA token of the first network function for establishing a security association between the application entity and the second network function (i.e., …teaches in par. 0033 the following: “response back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316 using the redirection URI provided by the trust relationship establishment mechanism 306.” …teaches in par. 0035 the following: “verifies that the redirection URI included with the access token request matches the redirection URI provided with the registration request. If trust relationship establishment mechanism 316 verifies that the redirection URI included with the access token request is the same as the redirection URI provided with the registration request, the trust relationship establishment mechanism 316 sends an access token back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316. … the access token may be used by resource-side system to grant application side devices and users authorized access to resource side resources”). Chang does not expressly the application entity having a trust relationship with the first network function and not the second network function. In this instance the examiner notes the teachings of prior art reference Tran. TRAN teaches in par. 0025 the following: “Each of the first application 108, second application 110 and third application 112 can perform authentication of the respective invocation request using the received token through the service registry 106.”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Chang with the teachings of TRAN by having their system comprise an enhanced application security process. One would have been motivated to do so to provide a simple and effective means to configure application security, wherein the enhanced application security process helps to prevent unauthorized applications in the network and makes it easier to ensure network system security. The system of Chang and TRAN does not expressly teach: wherein the CCA token generated by the first network function is used for authentication of the application entity by the second network function. In this instance the examiner notes the teachings of prior art reference Guo. Guo teaches as part of his claim 1 limitation element(s) the following: “generating a first credential based on a second credential, the second credential generated for a primary authentication procedure between the UE and a cellular network, wherein the second credential is an Authentication Server Function (AUSF) key (K.sub.AUSF); generating an identifier corresponding to the first credential, said identifier uniquely identifying the first credential; calculating a multi-access edge computing (MEC) authorization parameter using the first credential and a second identifier, the second identifier being a globally unique value associated with an edge enabler client (EEC) running on the UE; transmitting an application registration request message to a server associated with an edge data network, the application registration request message including the second identifier, the second identifier corresponding to the first credential and the MEC authorization parameter; and receiving an authentication accept message or an authentication reject message from the server associated with the edge data network, wherein the authentication accept message or the authentication rejection message is based on a validation of the MEC authorization parameter.”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Chang and TRAN with the teachings of Guo by having their system comprise an enhanced access security process. One would have been motivated to do so to provide a simple and effective means to control communication access within a network, wherein the enhanced access security process helps to prevent unauthorized access within the network and makes it easier to ensure access control. As to claim 10, the system of Chang, Tran and Guo as applied to claim 9 above teaches trust relationship, specifically Chang teaches a NEof claim 9, wherein the at least one processor is configured to cause the NEto determine a first secret token at the first network function in response to a request to authenticate the application entity to the second network function that has a trust relationship with the first network function and does not have a trust relationship with the application entity (i.e., …teaches in par. 0033 the following: “response back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316 using the redirection URI provided by the trust relationship establishment mechanism 306.” …teaches in par. 0035 the following: “verifies that the redirection URI included with the access token request matches the redirection URI provided with the registration request. If trust relationship establishment mechanism 316 verifies that the redirection URI included with the access token request is the same as the redirection URI provided with the registration request, the trust relationship establishment mechanism 316 sends an access token back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316. … the access token may be used by resource-side system to grant application side devices and users authorized access to resource side resources”). As to claim 11, the system of Chang, Tran and Guo as applied to claim 10 above teaches trust relationship, specifically Chang teaches a NE of claim 10, wherein the authentication request further comprises the first secret token, an identifier for the first network function, and an application identifier for the application entity for verifying the authentication request and authenticating the application entity (i.e., …teaches in par. 0032 the following: “may include in the registration request one or more registration artifacts, such as a redirection uniform resource identifier (URI), a requested scope that identifies a role of the requesting one or more applications, a local state of device 302, an identifier representing the administrator 308, a public key or certificate for the one or more applications, any additional authentication data associated with the application or the user of the application, the one or more resources to be accessed, or the like.”). As to claim 12, Chang teaches a network equipment (NE) for wireless communication, comprising: at least one memory (i.e., …teaches in par. 0005 the following: “The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors. The memory may comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment”); and at least one processor coupled with the at least one memory and configured to cause the NE to (i.e., …teaches in par. 0005 the following: “The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors. The memory may comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment”): receive, at a first network function, an authentication request from an application entity device that does not have a trust relationship with the first network function (i.e., …teaches in par. 0032 the following: “… request via trust relationship establishment mechanism 306, trust relationship establishment mechanism 306 may send the registration request to trust relationship establishment mechanism 316 as an authorized registration request.” …teaches in par. 0033 the following: “Upon trust relationship establishment mechanism 316 receiving the registration request from trust relationship establishment mechanism 306, trust relationship establishment mechanism 316 validates that the registration request is a valid registration request from an associated trust relationship establishment mechanism.”.), the authentication request comprising a client credential assertion ("CCA") token of a second network function that has a trust relationship with the first network function and the application entity (i.e., …teaches in par. 0032 the following: “device 302 initiates a registration request to register the one or more applications with the one or more resources via a user interface (UI) to trust relationship establishment mechanism 306. Administrator 308 may include in the registration request one or more registration artifacts, such as a redirection uniform resource identifier (URI), a requested scope that identifies a role of the requesting one or more applications, a local state of device 302, an identifier representing the administrator 308, a public key or certificate for the one or more applications, any additional authentication data associated with the application or the user of the application, the one or more resources to be accessed, or the like”); send, from the first network function to the application entity, an authentication result in response to verifying the CCA token, the authentication result comprising a CCA token of the first network function for establishing a security association between the application entity and a third network function (i.e., …teaches in par. 0033 the following: “response back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316 using the redirection URI provided by the trust relationship establishment mechanism 306.” …teaches in par. 0035 the following: “verifies that the redirection URI included with the access token request matches the redirection URI provided with the registration request. If trust relationship establishment mechanism 316 verifies that the redirection URI included with the access token request is the same as the redirection URI provided with the registration request, the trust relationship establishment mechanism 316 sends an access token back to trust relationship establishment mechanism 306 via trust relationship establishment mechanism 316. … the access token may be used by resource-side system to grant application side devices and users authorized access to resource side resources”). Chang does not expressly teach: verify, at the first network function, that the CCA token is associated with the second network function. In this instance the examiner notes the teachings of prior art reference Tran. TRAN teaches in par. 0023 the following: “The second application 110, authenticates the invocation request from the first application 108 using authentication token 126. The second application 110 authorizes the request because token 126 contains the initial token 124 that represents the user, showing that the first application 108 is acting on behalf of that user.”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Chang with the teachings of TRAN by having their system comprise an enhanced application security process. One would have been motivated to do so to provide a simple and effective means to configure application security, wherein the enhanced application security process helps to prevent unauthorized applications in the network and makes it easier to ensure network system security. The system of Chang and TRAN does not expressly teach: wherein the CCA token of the first network function is used for authentication of the application entity by the third network function. In this instance the examiner notes the teachings of prior art reference Guo. Guo teaches as part of his claim 1 limitation element(s) the following: “generating a first credential based on a second credential, the second credential generated for a primary authentication procedure between the UE and a cellular network, wherein the second credential is an Authentication Server Function (AUSF) key (K.sub.AUSF); generating an identifier corresponding to the first credential, said identifier uniquely identifying the first credential; calculating a multi-access edge computing (MEC) authorization parameter using the first credential and a second identifier, the second identifier being a globally unique value associated with an edge enabler client (EEC) running on the UE; transmitting an application registration request message to a server associated with an edge data network, the application registration request message including the second identifier, the second identifier corresponding to the first credential and the MEC authorization parameter; and receiving an authentication accept message or an authentication reject message from the server associated with the edge data network, wherein the authentication accept message or the authentication rejection message is based on a validation of the MEC authorization parameter.”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Chang and TRAN with the teachings of Guo by having their system comprise an enhanced access security process. One would have been motivated to do so to provide a simple and effective means to control communication access within a network, wherein the enhanced access security process helps to prevent unauthorized access within the network and makes it easier to ensure access control. As to claim 13, the system of Chang, Tran and Guo as applied to claim 12 above teaches trust relationship, specifically Chang teaches a NE of claim 12, wherein the transceiver at least one processor is configured to cause the NE to receive, at the first network function, a first secret token in the authentication request and authenticating the application entity in response to the first secret token matching a first secret token that is previously-received from the second network function (i.e.,…teaches in par. 0035 the following: “access token request is validated, then trust relationship establishment mechanism 316 verifies that the redirection URI included with the access token request matches the redirection URI provided with the registration request.”). As to claim 14, the system of Chang, Tran and Guo as applied to claim 13 above teaches trust relationship, specifically Chang teaches a NE of claim 13, wherein the at least one processor is configured to cause the NE to: receive, at the first network function, an application identifier for the application entity in the authentication request (i.e., …teaches in par. 0034 the following: “The access token request includes the redirection URI, verifiable authentication data, as well as the symmetric key. Trust relationship establishment mechanism 306 then submits the access token request using the authorization code previously received from trust relationship establishment mechanism 316 and sends the access token request to trust relationship establishment mechanism 316.”), the application entity authenticated in response to the received application identifier matching an application identifier that is previously received from the second network function (i.e., …teaches in par. 0034 the following: “Further, by sending the access token request via trust relationship establishment mechanism 306, trust relationship establishment mechanism 306 may send the access token request to trust relationship establishment mechanism 316 as an authorized access token request. Those skilled in the art will recognize that trust relationship establishment mechanism 306 may use credential data sent to the trust relationship establishment mechanism 316 in a previous operation to create verifiable authentication data in the access token request.”); and in response to authenticating the application entity (i.e., …teaches in par. 0035 the following: “Upon trust relationship establishment mechanism 316 receiving the access token request from trust relationship establishment mechanism 306, trust relationship establishment mechanism 316 validates that the access token request is an authorized registration request from an associated trust relationship establishment mechanism by verifying the authorization code.”), send, from the first network function, the application identifier and an application entity identifier to the third network function for use in authenticating the application entity with the third network function (i.e., …teaches in par. 0035 the following: “The access token does not have an expiration time period and is signed with a token issuer public key. Those skilled in the art will recognize that a finite expiration time and a renewal token may be used to renew the access token in another embodiment.”). As to claim 15, the system of Chang, Tran and Guo as applied to claim 12 above teaches trust relationship, specifically Chang teaches a NE of any of claim 12, wherein the at least one processor is configured to cause the NE to: generate, at the first network function, a second secret token at the first network function, the second secret token sent to the third network function for use in authenticating the application entity with the third network function (i.e., …teaches in par. 0033 the following: “The symmetric key being a one-time use key that is generated per request and has an expiration time period.” …teaches in par. 0035 the following: “a renewal token may be used to renew the access token”.); send, from the first network function, the second secret token to the application entity for use in authenticating the application entity with the third network function (i.e., …teaches in par. 0034 the following: “generates an access token request to be sent to trust relationship establishment mechanism 306. The access token request includes the redirection URI, verifiable authentication data, as well as the symmetric key”. …teaches in par. 0035 the following: “a renewal token may be used to renew the access token”.). Allowable Subject Matter Claim 3 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: Applicant’s recital of, “send, from the application entity, a management message to the second network function using the NAI of the second network function, the second management message comprising an application entity identifier, an application identifier, and the CCA token of the first network function; and receive, from the second network function, a second secret token, an NAI of a third network function, and a CCA token associated with the second network function in response to the CCA token associated with the first network function being verified.”. Dependent claim 4 is allowed by way of its dependency on dependent claim 3. Dependent claim 5 is allowed by way of its dependency on dependent claim 3. Dependent claim 6 is allowed by way of its dependency on dependent claim 5. Claim 18 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: Applicant’s recital of, “send, from the application entity, a management message to the second network function using the NAI of the second network function, the management message comprising an application entity identifier, an application identifier, and the CCA token of the first network function; and receive, from the second network function, a second secret token, an NAI of a third network function, and a CCA token associated with the second network function in response to the CCA token associated with the first network function being verified”. Dependent claim 19 is allowed by way of its dependency on dependent claim 18. Dependent claim 20 is allowed by way of its dependency on dependent claim 18. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BRYAN F WRIGHT/ Examiner, Art Unit 2497
Read full office action

Prosecution Timeline

Jan 02, 2024
Application Filed
May 08, 2024
Response after Non-Final Action
Dec 12, 2025
Non-Final Rejection mailed — §103, §112
Feb 25, 2026
Applicant Interview (Telephonic)
Mar 12, 2026
Response Filed
Jun 03, 2026
Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665918
Predefined signatures for inspecting private application access
4y 0m to grant Granted Jun 23, 2026
Patent 12648451
SECURE CHIPS WITH SERIAL NUMBERS
3y 0m to grant Granted Jun 02, 2026
Patent 12640913
COHERENT KEY MANAGEMENT ACROSS MULTIPLE CHIPLETS
2y 8m to grant Granted May 26, 2026
Patent 12640932
SECURING GROUP MESSAGES OVER HYPERTEXT TRANSFER PROTOCOL WITH KEY MANAGEMENT AND ROTATION FOR MULTI-PARTY GROUPS
10m to grant Granted May 26, 2026
Patent 12627509
Cryptographically Authenticated Database Representing a Multiple-Key-Pair Root Certificate Authority
2y 9m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+24.0%)
3y 2m (~7m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 815 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month