Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 18/930,825 is presented for examination by the examiner.
Claim Objections
Claims 7 and 18 are objected to under 37 CFR 1.75 as being a substantial duplicate of claims 6 and 17. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. See MPEP § 608.01(m).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
As per claims 1 and 12, the limitations “responsive to the access device, providing access to a resource, receiving, by the server, an online authorization request from the access device; and executing the online authorization request to provide the access device with a response” is confusing by itself and contradicts the limitation “wherein the access device operates in an offline mode” when read together. The act of requesting and receiving a response are not tied to anything in the claim. It is unclear what is requested and what is the response. Moreover, the act of communicating with a server to perform online authorization is in stark contrast to the recited “offline mode”. For purposes of examination, the response and request are given no patentable weight as they do not accomplish anything and setting them aside enables the access device to operate in an offline mode. Appropriate correction is required. The dependent claims are likewise rejected.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-7, 9, 12-15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication 2012/0308003 to Mukherjee in view of WO 2012/136987 to Fiske et al., hereinafter Fiske and in view of USP Application Publication 2015/0350894 to Brand.
As per claims 1 and 12, Mukherjee teaches a computer-implemented method performed by a server comprising:
wherein the user device: (a) generates a code [470] based on an interaction data [message] and a digital signature (440), the code comprising (i) the digital certificate generated by the server (450) (0046), and (ii) an index associated with the server [identifying information in the certificate of the issuer; Fig. 16], and
(b) provides the code to an access device (0053);
responsive to the access device, providing access to a resource, receiving, by the server, an online authorization request from the access device; and executing the online authorization request to provide the access device with a response [Examiner note: these steps are given no patentable weight for reasons above so that the access device can operate in an offline mode as intended],
wherein the access device operates in an offline mode and is configured to: (i) process the code to obtain the interaction data (0053), (iii) obtain first public key of the user device based on the second public key of the server and the digital certificate [uses issuer’s public key to verify the certificate containing the user’s public key; 0054], and (iv) determine validity of the interaction data based on the digital signature and the first public key of the user device (0055-56).
Mukherjee is silent in explicitly teaching generating a key pair including a first public key and a first private key, wherein the key pair is to be associated with a user device; generating a digital certificate for the user device, wherein the digital certificate comprises the first public key associated with the user device; transmitting the digital certificate and the first private key to the user device. On the other hand, Brand teaches that a CA can generate the key pair for the user and supply the signed public key certificate and private key to the user (0040 and 0041). Brand explicitly states the CA can generate the user’s keys. Mukherjee is silent as to the origin of the user’s key but does teach that they have been certified by a trusted CA. Having that CA generated the keys which it intends to certify reduces some overhead. Ultimately it is an obvious choice if, as Brand teaches, the user device is not readily able to perform such complex computations. Having the same CA that generates the certificate for the user, also generate the keys leads to a predictable result. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which produce predictable results.
Mukherjee is silent in explicitly teaching (ii) obtain, from a local storage, a second public key of the server based on the index. On the other hand, Fiske teaches that a CA Public key Index can be read in during an offline transaction to lookup the corresponding CA’s locally stored public key so that it may easily select that public key to verify a signature that was signed with the corresponding private key (pg. 5, line 25-pg. 6, line 5). Fiske index comes from the user side during the transaction. Mukherjee already has identifying data of the issuer in the certificate so listing which key the issuer used would speed up the verification. Further offline capabilities are realized when the server side stores the CA public key locally. Incorporating these steps could speed up the process of Mukherjee and eliminate the need to contact the CA as the time of validation. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which produce predictable results.
As per claims 2 and 13, the server is further configured to certify the digital certificate within a threshold time period prior to the access device obtaining the code from the user device [shown in element 1640 of Fig. 16; validity period].
As per claims 3 and 14, Mukherjee is silent in explicitly teaching generating periodically, a new key pair including a new first public key and a new first private key, wherein the new key pair is to be associated with the user device; and transmitting the new key pair to the user device. Brand teaches periodically, a new key pair including a new first public key and a new first private key, wherein the new key pair is to be associated with the user device; and transmitting the new key pair to the user device (0081). Mukherjee’s certificates have a valid lifetime. After expiration, the CA would need to create a new certificate. As combined above, if the CA generates both the keys and the certificate it obviously can do this each time the certificate expires. Examiner relies upon the same rationale as recited in the rejection of claim 1.
As per claims 4 and 15, Mukherjee teaches the digital certificate includes an indicator identifying a cryptographic algorithm that is to be used by the user device for generating the digital signature (Public key algorithm listed in certificate; Fig. 16].
As per claims 5 and 16, Mukherjee teaches the user device generates the digital signature utilizing an elliptical curve cryptography algorithm (0068), the first private key of the user device (0044), and at least one timestamp data field, a public key index data field, and a public key certificate of the interaction data (0049).
As per claims 6, 7, 17, and 18, Mukherjee teaches the access device obtains the index by decrypting the interaction data [issuer of the certificate] and retrieves the second public key associated with the server based at least in part on the index (0054).
As per claims 9 and 20, Mukherjee teaches the code is in form of a sound presented to the access device via a speaker of the user device (0081).
Claim(s) 8, 10, 11, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Mukherjee, Brand, and Fiske as applied to claims 1 and 12 above, and further in view of USP Application Publication 2012/0330845 to Kang.
As per claims 8 and 19, Mukherjee teaches the code is in form of a quick response (QR) code (0016). Mukherjee, Brand, and Fiske do not explicitly teach that the code is presented to the access device via a display of the user device. On the other hand, Kang teaches a QR code is presented to the access device via a display of the user device (0039). Mukherjee uses a computer to create the code and it is obvious that computers have displays. Thus, the QR code could have been presented via display rather than printed. Mukherjee even teaches the QR codes can be encoded into digital formats (0081). The claim is obvious because one of ordinary skill in the art can substitute known methods before the effectively filing date which do not produce unpredictable results.
As per claim 10, Mukherjee, Brand, and Fiske are silent in explicitly teaching, the access device verifies whether a first identifier associated with the interaction data satisfies a first condition related to a time instance at which the first identifier of the interaction data is generated. Kang teaches determining whether a first identifier [public certificate] associated with the interaction data satisfies a first condition [not expired] related to a time instance at which the first identifier of the interaction data is generated [start date of the certificate’s validity period] (0026). Kang specifically teaches verifying where the received X.509 certificate is not expired and is received during a valid time period. Mukherjee already uses X.509 certificates which have this time field. Therefore, it would have been obvious to check the time period in the certificate after validating the signature. As, mentioned above it would have been obvious to perform the next condition check after the initially selected security check passes where order does not matter. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.
Mukherjee, Brand, and Fiske are silent in teaching verifying whether a second identifier of the user device satisfies a second condition, the second condition corresponding to determining whether the second identifier of the user device is a restricted identifier. Kang teaches verifying whether a second identifier of the user device [user device certificate] satisfies a second condition [not on CRL] (0026), the second condition corresponding to determining whether the second identifier of the user device is a restricted identifier [device certificates on the CRL have been stolen and deemed fraudulent; 0039]. Kang explicitly teaches using the CRL to validate transactions while offline (0039). Thus, Kang is able to perform whether the device’s certificate’ is identified on the CRL. CRL are well-known in the art to revoke certificates that have not naturally expired. This is one additional check that can be performed that would yield a predictable result because it can be performed offline just as Mukherjee operates. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.
As per claim 11, the combination of Mukherjee, Brand, Kang and Fiske teaches the first condition corresponds to a time instance at which the first identifier of the interaction data is generated [Kang: 0026], and the second condition corresponds to determining whether an identifier of the user device is a restricted identifier [Kang: 0039].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316. The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431