DETAILED ACTION
The instant application having Application No. 18/619669 filed on March 28, 2024 is presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, found at http:/www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax, which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.
Applicant is also encouraged to contact the Examiner for an Interview, should the Applicant determine that clarifying and further illustrating the distinguishing features of the instant application may further the prosecution.
Oath/Declaration
The applicant’s oath/declaration has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63.
Drawings
The applicant’s drawings submitted are acceptable for examination purposes.
Claim Objections
Claims 4, 12, and 18 are objected to because of the following informalities:
Claims 4, 12, and 18 recite “at least two different keys”, which should be “the at least two different keys” as the “at least two different keys” was previously defined in independent claims 1, 9, and 15. Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 9, and 15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claims 1, 9, and 15 recite determining if a data package is trustworthy based on at least two different keys. This is considered as a mental validation process to determine if the data package is trustworthy by signing the data package using the keys and then later verifying the signatures to prove trust.
These limitations, as drafted, corresponds to a process that, under its broadest reasonable interpretation, is an abstract idea drawn to performing a mental validation process but for the recitation of generic computer components and generic computer functions that are well understood, routine, and conventional. That is, other than reciting “a processor” to perform the steps (in claims 9 and 15) and reciting generic computer functions that are well understood, routine, and conventional, nothing in the claim element precludes the steps from merely being the performance of mental validation process. If a claim limitation, under its broadest reasonable interpretation, covers performing the abstract idea in the human mind but for the recitation of generic computer components, then it falls within the “Mental Process” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional elements of: 1) using a processor to perform the steps (in claims 9 and 15), 2) obtaining the data package indicating a request, and 3) servicing the request. The processor in the steps is recited at a high-level of generality (i.e., as a generic processor performing the claimed steps) such that it amounts no more than mere instructions to apply the exception using a generic computer component. The additional elements of obtaining the data package and servicing the request are considered as generic computer functions that are well understood, routine, and conventional as every computer can receive data and process requests. Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of using a processor to perform the steps amounts to no more than mere instructions to apply the exception using a generic computer component and generic computer functions. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Therefore, the claim is not patent eligible.
Dependent claims 2-8, 10-14, and 16-20 are also rejected for the same reason as cited above for not reciting any additional elements that amount to significantly more than the judicial exception.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-7 and 9-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by NPL “FIDO Device Onboard Specification” hereinafter referred to as FIDO.
As per claims 1, 9, and 15, FIDO discloses A method of managing an endpoint device, the method comprising:
obtaining a data package, the data package indicating a request for the endpoint device (FIDO, Figure 3 and section 2.5.4, teaches the device initiating a Transfer Ownership Protocol 2 (TO2) with the device owner. This is a request to transfer ownership from the manufacturer to the device owner. FIDO, section 2.5, teaches that during TO2 the “device contacts owner [and] establishes trust and then performs ownership transfer”.);
making a determination, based on validation rules for the endpoint device that allow for the data package to be considered trustworthy based on at least two different keys, regarding whether the data package is trustworthy (FIDO, section 2.3.2, teaches that mutual trust is proven during TO2 to establish a secure channel and exchange key pairs. FIDO, section 2.5, teaches that during TO2 the “device contacts owner [and] establishes trust and then performs ownership transfer”. FIDO, section 2.7 and Figure 4, teaches establishing the trust using an Ownership Voucher. The Ownership Voucher contains a chain of signed public keys to form a chain of trust from the manufacturer to the owner. The device “verifies the signatures of the Ownership Voucher in sequence” and then requires the owners public key to complete the chain of trust from the manufacturer to the owner. As shown in Figure 4, multiple keys are used to sign the document. Therefore, multiple keys, including the owners public key, are used to verify the different signatures to complete the chain of trust. FIDO, sections 3.4.5-3.4.6, also teaches the owner validating the device certificate chain (by verifying the certificates and signature chain) before trusting and accepting ownership of the device. FIDO, page 8, defines the Ownership Voucher as a “credential, passed through the supply chain, that allows an Owner to verify the Device and gives the Device a mechanism to verify the Owner”. FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as verifying the signatures. Therefore, the rules are that all the signatures must be verified and trusted before ownership is transferred to the new owner.); and
in an instance of the determination in which the data package is determined to be trustworthy: servicing the request (FIDO, Figure 3 and section 2.5.4, teaches TO2 transferring ownership from the manufacturer to the device owner and storing new credentials for the new owner on the device. FIDO, section 2.5, teaches that during TO2 the “device contacts owner [and] establishes trust and then performs ownership transfer”.);
Claim 9 recites the additional limitations of “A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for managing an endpoint device, the operations comprising…” (FIDO, section 1, teaches a processor executing applications.)
Claim 15 recites the additional limitations of “A data processing system, comprising: a processor; and a memory coupled to the processor to store instructions, which when executed by the processor, cause the processor to perform operations for managing an endpoint device, the operations comprising…” (FIDO, section 1, teaches a processor executing applications.)
As per claims 2, 10, and 16, FIDO discloses The method of claim 1, further comprising: prior to obtaining the data package: obtaining an ownership voucher for the endpoint device, the ownership voucher comprising: a chain of certificates indicating at least one delegation of authority for the endpoint device; and the validation rules (FIDO, section 2.7 and 3.4.5-3.4.6 and Figure 4, teaches establishing trust using an Ownership Voucher containing a device certificate chain. FIDO, Figure 2 and section 2.4, teaches the Ownership Voucher being generated during manufacture of the device (e.g. prior to later obtaining any messages from the device). FIDO, section 2.5.4, teaches that the owner has received the Ownership Voucher prior to initiating Transfer Ownership Protocol 2. FIDO, sections 2.3.2 and Appendix B, teaches that a Certificate Authority is used by the manufacturer to create the certificate chain. FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as “Verify all combinations” such as verifying the hashes, the MACs, and all signatures. FIDO, section 1.5.3, also teaches the manufacturer seeding the Ownership Voucher with a cryptographic option that must be followed by all subsequent entities.)
As per claims 3, 11, and 17, FIDO discloses The method of claim 2, wherein the validation rules are selected by an entity vested with authority over the endpoint device by the ownership voucher prior to obtaining the ownership voucher for the endpoint device (FIDO, sections 2.3.2 and Appendix B, teaches that a Certificate Authority is used by the manufacturer to create the certificate chain. FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as “Verify all combinations” such as verifying the hashes, the MACs, and all signatures. FIDO, section 1.5.3, also teaches the manufacturer seeding the Ownership Voucher with a cryptographic option that must be followed by all subsequent entities.)
As per claims 4, 12, and 18, FIDO discloses The method of claim 3, wherein the validation rules specify that the data package be multiply signed with at least two different keys (FIDO, sections 2.3.2 and Appendix B, teaches that a Certificate Authority is used by the manufacturer to create the certificate chain. FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as “Verify all combinations” such as verifying the hashes, the MACs, and all signatures. FIDO, section 1.5.3, also teaches the manufacturer seeding the Ownership Voucher with a cryptographic option that must be followed by all subsequent entities. FIDO, section 2.7 and Figure 4, teaches establishing the trust using an Ownership Voucher. The Ownership Voucher contains a chain of signed public keys to form a chain of trust from the manufacturer to the owner. The device “verifies the signatures of the Ownership Voucher in sequence” and then requires the owners public key to complete the chain of trust from the manufacturer to the owner. As shown in Figure 4, multiple keys are used to sign the document. Therefore, multiple keys, including the owners public key, are used to verify the different signatures to complete the chain of trust. FIDO, sections 3.4.5-3.4.6, also teaches the owner validating the device certificate chain (by verifying the certificates and signature chain) before trusting and accepting ownership of the device. FIDO, page 8, defines the Ownership Voucher as a “credential, passed through the supply chain, that allows an Owner to verify the Device and gives the Device a mechanism to verify the Owner”. As shown in Figure 4, each owner in the change of ownership is required to sign the ownership voucher.)
As per claims 5, 13, and 19, FIDO discloses The method of claim 4, wherein the validation rules further specify that a first key of the at least two different keys be from a first pool of keys and a second key of the at least two different keys be from a second pool of keys (FIDO, section 2.7 and Figure 4, teaches establishing the trust using an Ownership Voucher. The Ownership Voucher contains a chain of signed public keys to form a chain of trust from the manufacturer to the owner. The device “verifies the signatures of the Ownership Voucher in sequence” and then requires the owners public key to complete the chain of trust from the manufacturer to the owner. As shown in Figure 4, multiple keys are used to sign the document. These multiple keys can be considered as being from different pools as they are from different entities such as the device, the manufacturer, the distributer, the retailer, and the owner. FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as “Verify all combinations” such as verifying the hashes, the MACs, and all signatures. FIDO, section 1.5.3, also teaches the manufacturer seeding the Ownership Voucher with a cryptographic option that must be followed by all subsequent entities. As shown in Figure 4, each owner in the change of ownership is required to sign the ownership voucher.)
As per claims 6, 14, and 20, FIDO discloses The method of claim 5, wherein the validation rules further specify that the first pool of keys and the second pool of keys be any two different pools of keys of multiple pools of keys (FIDO, section 2.7 and Figure 4, teaches establishing the trust using an Ownership Voucher. The Ownership Voucher contains a chain of signed public keys to form a chain of trust from the manufacturer to the owner. The device “verifies the signatures of the Ownership Voucher in sequence” and then requires the owners public key to complete the chain of trust from the manufacturer to the owner. As shown in Figure 4, multiple keys are used to sign the document. These multiple keys can be considered as being from different pools as they are from different entities such as the device, the manufacturer, the distributer, the retailer, and the owner. FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as “Verify all combinations” such as verifying the hashes, the MACs, and all signatures. FIDO, section 1.5.3, also teaches the manufacturer seeding the Ownership Voucher with a cryptographic option that must be followed by all subsequent entities. As shown in Figure 4, each owner in the change of ownership is required to sign the ownership voucher.)
As per claim 7, FIDO discloses The method of claim 5, wherein the first pool of keys comprises keys associated with a first organization and the second pool of keys comprises keys associated with a second organization (FIDO, section 2.7 and Figure 4, teaches establishing the trust using an Ownership Voucher. The Ownership Voucher contains a chain of signed public keys to form a chain of trust from the manufacturer to the owner. The device “verifies the signatures of the Ownership Voucher in sequence” and then requires the owners public key to complete the chain of trust from the manufacturer to the owner. As shown in Figure 4, multiple keys are used to sign the document. These multiple keys can be considered as being from different pools as they are from different entities such as the device, the manufacturer, the distributer, the retailer, and the owner (e.g. different organization). FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as “Verify all combinations” such as verifying the hashes, the MACs, and all signatures. FIDO, section 1.5.3, also teaches the manufacturer seeding the Ownership Voucher with a cryptographic option that must be followed by all subsequent entities. As shown in Figure 4, each owner in the change of ownership is required to sign the ownership voucher.)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over NPL “FIDO Device Onboard Specification” hereinafter referred to as FIDO.
As per claim 8, FIDO discloses The method of claim 4 (See Rejection Above).
FIDO discloses wherein the validation rules further specify that the data package be multiply signed with [a key] from a first pool of keys and [a key] from a second pool of keys (FIDO, section 2.7 and Figure 4, teaches establishing the trust using an Ownership Voucher. The Ownership Voucher contains a chain of signed public keys to form a chain of trust from the manufacturer to the owner. The device “verifies the signatures of the Ownership Voucher in sequence” and then requires the owners public key to complete the chain of trust from the manufacturer to the owner. As shown in Figure 4, multiple keys are used to sign the document. These multiple keys can be considered as being from different pools as they are from different entities such as the device, the manufacturer, the distributer, the retailer, and the owner (e.g. different organization). FIDO, section 1.5.3, teaches the Ownership Voucher having requirements/rules during TO2 such as “Verify all combinations” such as verifying the hashes, the MACs, and all signatures. FIDO, section 1.5.3, also teaches the manufacturer seeding the Ownership Voucher with a cryptographic option that must be followed by all subsequent entities. As shown in Figure 4, each owner in the change of ownership is required to sign the ownership voucher.)
As shown above, FIDO discloses requiring a single signature from each entity in the chain of ownership. Therefore, one signature is required from each pool/organization such as the device, the manufacturer, the distributor, the retailer, and the final owner. However, FIDO does not specifically require using multiple keys from each pool/organization.
However, it would have been obvious to one of ordinary skill in the art before the effective filing date to have used multiple keys from each pool/organization instead of one key from each pool/organization as this would have been an obvious design choice to use one key or multiple keys to result in signing the ownership voucher to prove the chain of trust. Using multiple keys and multiple signatures would also increase the overall security of the system.
Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Janjua (US 2018/0062859) – teaches trusting an object based on one or multiple signature verifications.
Pala (US 2022/0353061) – teaches a trust model using multiple signatures.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310. The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/John B King/
Primary Examiner, Art Unit 2498