MANAGING AUTHENTICATION CREDENTIALS IN MULTIPLE DEVICES

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Specification The specification filed on June 21, 2024 is accepted. Drawings The drawings filed on June 21, 2024 are accepted. Information Disclosure Statement The information disclosure statement (IDS) submitted on 04/29/2025 was filed after the mailing date of the application no. 18/751010 on 06/21/2024. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Objections Claims 9 and 18 objected to because of the following informalities: Claims 9 and 18 recites “wherein updating the trust relationship between the first device and the authentication server comprises one or more of: transferring the trust relationship between the second device and the authentication server to the first device and transferring the trust relationship between the second device and the authentication server to the first device” the examiner notes that the transferring the trust relationship between the second device and the authentication server to the first device is recited twice in the claim. Therefore, duplicate limitation should be amended and/or deleted. Appropriate correction is required. CLAIM INTERPRETATION The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a first device” in claim 20. Claim limitation(s) “a first device” in claim 20 gives their broadest reasonable interpretation of the claim elements with a limited description in the specification. The examiner notes that the first device is an authentication device which may be mobile device, smartphone or computer tablet [0020]. Accordingly claims 20 invoke 35 U.S.C. 112 (f) or sixth paragraph, but the corresponding structure is described. Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6 and 8-15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Xia et al (hereinafter Xia) (US 20200233949) in view of Dawoud et al (hereinafter) (Dawoud) (US 20160080380). Regarding claim 1, 11 and 20 Xia teaches a method for transferring a trust relationship between a first device and a second device, the method comprising: (Xia on [0004] teaches a user can designate a device, such as the user's phone, to serve as a security token that is indicative of an authorized user's presence. The resource can be configured to detect the presence of the trusted device and automatically grant access to the user in response, without requiring user input to the resource or the trusted device); a non-transitory computer readable storage medium comprising stored program code, the program code comprised of instructions, the instructions when executed causes a processor system to: (Xia on [0247] teaches non-transitory memory storing instructions executed by processor); a system comprising (Xia on [0070] teaches system); a first device configured to request access to an authentication server (Xia on [0072] teaches the user 102 may initiate access to the resource 120, and the resource (i.e., first device) sends data indicating the access attempt to the server 130 (i.e., authentication server)); a second device having a trust relationship with the authentication server, the trust relationship establishing that the second device can access the authentication server (Xia on [0070] teaches the user 102 has previously associated or registered the trusted device 110 (i.e., second device) as a security token for the user 102, to be used for gaining access to the resource 120, wherein the devices are registered to serve (i.e., trust relationship with server) as an authentication token for the resource 120); receiving, from a first device, a request to access an authentication server (Xia on [0072] teaches the user 102 may initiate access to the resource 120, and the resource (i.e., first device) sends data indicating the access attempt to the server 130 (i.e., authentication server)); receiving, at the authentication server, one or more proximity signals transmitted from the first device and one or more proximity signals transmitted from a second device (Xia on [0071-0072] teaches one or more server systems, represented by server 130, to communicate with the resource 120 and the trusted device 110. Further teaches the server 130 identifies the trusted device 110 as a device that may provide proximity-based access if located in proximity to the resource 120 (i.e., indicated that server has access to proximity location of both resource and trusted device). See on [0085] teaches the resource 120, the device 110, and/or the server 130 can apply security policies, usage restrictions, reporting functions, and logging functions associated with the credential in addition to determining whether appropriate proximity is detected. See also on [0156] teaches data encoded in the QR code is extracted and provided to the server 130, which can verify that the extracted data from the phone matches the data encoded in the QR code the server 130 provided to the computer. The match verifies that the phone is near the computer (i.e., also indicates that the server has access to proximity location of both mobile and computer) and allows the phone to be used for the pairing); wherein the second device has a trust relationship with the authentication server, the trust relationship establishing that the second device can access the authentication server; (Xia on [0070] teaches the user 102 has previously associated or registered the trusted device 110 (i.e., second device) as a security token for the user 102, to be used for gaining access to the resource 120, wherein the devices are registered to serve (i.e., trust relationship with server) as an authentication token for the resource 120); confirming that the first device and the second device are in proximity to each other based on the one or more proximity signals transmitted from the first device and the one or more proximity signals transmitted from the second device (Xia on [0071-0072] teaches one or more server systems, represented by server 130, to communicate with the resource 120 and the trusted device 110. Further teaches the server 130 identifies the trusted device 110 as a device that may provide proximity-based access if located in proximity to the resource 120. See on [0085] teaches the resource 120, the device 110, and/or the server 130 can apply security policies, usage restrictions, reporting functions, and logging functions associated with the credential in addition to determining whether appropriate proximity is detected. See also on [0156] teaches Data encoded in the QR code is extracted and provided to the server 130, which can verify that the extracted data from the phone matches the data encoded in the QR code the server 130 provided to the computer. The match verifies that the phone is near the computer and allows the phone to be used for the pairing. See also on [0165] teaches after a user scans the QR code with a mobile device, a server system in communication with both the mobile device and the resource may receive data extracted from the QR code and verify that the extracted data matches the data in the QR code the server system sent for display at the resource). Although Xia teaches the first device decrypting the message to validate trust relationship, but fails to explicitly teach server device for verifying the trust relationship with the second device by decrypting a signed message received from the second device after confirmation that the first device and the second device are in proximity to each other and updating a trust relationship between the first device and the authentication server based on the verified trust relationship between the second device and the authentication server after verification of the trust relationship with the second device, however Dawoud from analogous art teaches verifying the trust relationship with the second device by decrypting a signed message received from the second device after confirmation that the first device and the second device are in proximity to each other (Dawoud on [0039] teaches the first computing device 102 retains the private key and uses the private key to sign (e.g., encrypt) information that can be decrypted by other devices (e.g., computing device 106) that have the public key, thereby proving to the other devices that the information was provided by the first computing device 102. Note that the trusted entity (i.e., authentication server) has the public key [0019, 0032 and 0040-0041] therefore, public key can be used by the trusted entity to decrypt the signed message); and updating a trust relationship between the first device and the authentication server based on the verified trust relationship between the second device and the authentication server after verification of the trust relationship with the second device (Dawoud on [0063] teaches as new devices join the domain and are registered with the trusted entity device 202 over time (e.g., added to the list of trusted devices 108), the trusted entity device 202 may add the new devices to appropriate groups of devices and push or distribute their public keys to other trusted devices that are part of the same group so that the other trusted devices in the group may be updated with the public key information related to the new devices that join the domain (e.g., devices that belong to the same user). See also on [0156] teaches Data encoded in the QR code is extracted and provided to the server 130, which can verify that the extracted data from the phone matches the data encoded in the QR code the server 130 provided to the computer. The match verifies that the phone is near the computer and allows the phone to be used for the pairing). Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dawoud into the teaching of Xia by decrypting at the server the signed message using public key for validating trust relationship and updating by the server device the trust relationship between first device and second device. One would be motivated to do so in order to securely and automatically establish trust between devices associated with same domain or entity (Dawoud [0004-0005]). Regarding claim 2 the combination of Xia and Dawoud teaches all the limitations of claim 1 above, Xia further teaches wherein the one or more proximity signals comprises at least one of: an optical signal; an electromagnetic signal; a magnetic signal; an acoustic signal; and a mechanical signal (Xia on [0077, 0233 and 0247] teaches radio, optical or electromagnetic signal). Regarding claim 3 and 12 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, Xia further teaches wherein the trust relationship between the first device and the authentication server is defined by a private-public key pair, the first device storing a private key of the private-public key pair (Xia on [0150] teaches the server 130 creates a public key/private key pair for the mobile device 110 and for the resource 120. The server 130 sends each device 110, 120 its own private key, and the server 130 sends each device 110, 120 the public key to the other device). Dawoud teaches the authentication server storing a public key of the private-public key pair (Dawoud on [0032] teaches the trusted entity stores the public key of public-private key pair). Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dawoud into the teaching of Xia by decrypting at the server the signed message using public key for validating trust relationship and updating by the server device the trust relationship between first device and second device. One would be motivated to do so in order to securely and automatically establish trust between devices associated with same domain or entity (Dawoud [0004-0005]). Regarding claim 4 and 13 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, Xia further teaches wherein confirming that the first device and second device are in proximity to each other comprises: comparing the one or more signals received from the first device and the one or more signals received from the second device (Xia on [0120-0121] teaches comparing the signal strength with pre-determined signal strength. See also on [0156] teaches Data encoded in the QR code is extracted and provided to the server 130, which can verify that the extracted data from the phone matches the data encoded in the QR code the server 130 provided to the computer. The match verifies that the phone is near the computer and allows the phone to be used for the pairing). Regarding claim 5 and 14 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, Xia further teaches wherein confirming that the first device and second device are in proximity to each other comprises: receiving first QR code data from the first device, wherein the first device displays a QR code; receiving second QR code data from the second device, wherein the second device reads the displayed QR code using a digital camera of the second device; and comparing the first QR code to the second QR code to confirm that the first device and second device are in proximity to each other (Xia on [0134-0138, 0156 and 0165] teaches Data encoded in the QR code is extracted and provided to the server 130, which can verify that the extracted data from the phone matches the data encoded in the QR code the server 130 provided to the computer. The match verifies that the phone is near the computer and allows the phone to be used for the pairing). Regarding claim 6 and 15 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, Xia further teaches wherein verifying the trust relationship with the second device comprises: transmitting a message to the second device; receiving, from the second device, an encrypted version of the transmitted message, wherein the transmitted message is encrypted using a private key of a private-public key pair stored at the second device; and decrypting the encrypted version of the transmitted message, (Xia on [0113] teaches the device 110 encrypts the password using the public encryption key for the resource 120. This can be the encryption key received previously from the server 130, which was specifically associated provided for this particular pairing between the device 110 and the resource 120. For example, it can be a public key for the resource 120 from a public key pair associated with the pairing of the devices 110, 120. The device 110 then sends the encrypted form of the password as authentication data 230 in a message to the server 130). Dawoud teaches wherein the transmitted message is decrypted using a public key of a private-public key pair stored at the authentication server (Dawoud on [0039] teaches the first computing device 102 retains the private key and uses the private key to sign (e.g., encrypt) information that can be decrypted by other devices (e.g., computing device 106) that have the public key, thereby proving to the other devices that the information was provided by the first computing device 102. Note that the trusted entity (i.e., authentication server) has the public key [0019, 0032 and 0040-0041] therefore, public key can be used by the trusted entity to decrypt the signed message). Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dawoud into the teaching of Xia by decrypting at the server the signed message using public key for validating trust relationship and updating by the server device the trust relationship between first device and second device. One would be motivated to do so in order to securely and automatically establish trust between devices associated with same domain or entity (Dawoud [0004-0005]). Regarding claim 8 and 17 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, Dawoud further teaches wherein updating the trust relationship between the first device and the authentication server comprises: receiving a second public-private key pair from the second device (Dawoud on [0063] teaches as new devices join the domain and are registered with the trusted entity device 202 over time (e.g., added to the list of trusted devices 108), the trusted entity device 202 may add the new devices to appropriate groups of devices and push or distribute their public keys to other trusted devices that are part of the same group so that the other trusted devices in the group may be updated with the public key information related to the new devices that join the domain (e.g., devices that belong to the same user). See also on [0156] teaches Data encoded in the QR code is extracted and provided to the server 130, which can verify that the extracted data from the phone matches the data encoded in the QR code the server 130 provided to the computer. The match verifies that the phone is near the computer and allows the phone to be used for the pairing); transmitting a private key of the second public-private key pair to the first device (Dawoud on [0048 and 0111] teaches sending private key of public-private key pair); and storing a public key of the second public-private key pair at the authentication server, the public key representing the updated trust relationship (Dawoud on [0032] teaches the trusted entity stores the public key of public-private key pair). Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dawoud into the teaching of Xia by decrypting at the server the signed message using public key for validating trust relationship and updating by the server device the trust relationship between first device and second device. One would be motivated to do so in order to securely and automatically establish trust between devices associated with same domain or entity (Dawoud [0004-0005]). Regarding claim 9 and 18 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, Dawoud further teaches wherein updating the trust relationship between the first device and the authentication server comprises one or more of: transferring the trust relationship between the second device and the authentication server to the first device and transferring the trust relationship between the second device and the authentication server to the first device (Dawoud on [0063] teaches as new devices join the domain and are registered with the trusted entity device 202 over time (e.g., added to the list of trusted devices 108), the trusted entity device 202 may add the new devices to appropriate groups of devices and push or distribute their public keys to other trusted devices that are part of the same group so that the other trusted devices in the group may be updated with the public key information related to the new devices that join the domain (e.g., devices that belong to the same user). See also on [0156] teaches Data encoded in the QR code is extracted and provided to the server 130, which can verify that the extracted data from the phone matches the data encoded in the QR code the server 130 provided to the computer. The match verifies that the phone is near the computer and allows the phone to be used for the pairing). Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Dawoud into the teaching of Xia by decrypting at the server the signed message using public key for validating trust relationship and updating by the server device the trust relationship between first device and second device. One would be motivated to do so in order to securely and automatically establish trust between devices associated with same domain or entity (Dawoud [0004-0005]). Regarding claim 10 and 19 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, Xia further teaches wherein updating a trust relationship between the first device and the authentication server comprises: invalidating an existing trust relationship assigned to the first device; and replacing the existing trust relationship with the trust relationship between the second device and the authentication server (Xia on [0160-0161] teaches the interface also includes an option to remove the pairing, and thus remove automatic access based on proximity of the phone. The interface also includes an option to remove the pairing, and thus remove automatic access based on proximity of the phone. Further teaches the user may be able to access, modify, or remove pairing of the phone with other devices). Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Xia et al (hereinafter Xia) (US 20200233949) in view of Dawoud et al (hereinafter) (Dawoud) (US 20160080380) and further in view of Park et al (hereinafter Park) (US 20130340040). Regarding claim 7 and 16 the combination of Xia and Dawoud teaches all the limitations of claims 1 and 11 respectively, the combination fails to explicitly teach generating an error message in a log file; and transmitting the error message to an administrator, however Park from analogous art teaches wherein the authentication server is unable to verify the trust relationship with the second device, the method further comprising: generating an error message in a log file; and transmitting the error message to an administrator (Park on [0087 and 0094] teaches the eUICC 100 may deliver the verification result including success or failure of the trust relationship). Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Park into the combined teaching of Xia and Park by sending failure message when trust relationship is not verified. One would be motivated to do so in order prevent devices from building trust relationship with unknown or unauthorized devices by sending failure message (Park [0006-0013]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Joglekar et al (US 12224991) is directed towards system for establishing trust between devices using a proximity based key exchange protocol, the protocol involves the coordination of connected devices and a cloud service provider. Techniques described herein may be used to implement a multi-modal enrollment protocol in which a proximity channel and cloud service provider are jointly used to securely establish control keys that will be trusted by a device or application to authorize privacy preferences. Daly (US 20210326410) is directed towards a system for developing a trust relationship between a first party device and a second party device to effect secure communication therebetween. The first party device includes a first storage device for storing a plurality of predetermined and distinct entropy stores. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522. The examiner can normally be reached 7AM-5PM EST M-TH Alternate Fridays. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MOEEN KHAN/ Primary Examiner, Art Unit 2436