Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to claims filed on 11/08/2024; the parent application priority date of 02/21/2020 is considered
Claim 1 is pending and rejected
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/08/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claim 1 is rejected on the ground of nonstatutory double patenting as being anticipated by claim 1 of U.S. Patent No. 11,489,835 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the parent claimed patents and the instant application are directed to access control for secure transaction. Please see the table below for claim comparison.
Instant application
US 11,489,835 B2
1. A method for performing secure transactions, comprising:
providing an access controller between a core application and a third-party application, wherein the access controller prevents the third-party application from unauthorized access to the core application;
receiving, by the access controller, a command from the third-party application to access the core application;
transmitting, by the access controller, an authorization request to a secure application storing credentials of a user;
providing, by the access controller, the third-party application with access to the core application in response to the access controller receiving notification from the secure application that the command is authorized; and
preventing, by the access controller, the third-party application from accessing the core application in response to the access controller receiving notification from the secure application that the command is unauthorized.
1. A method for performing secure transactions, comprising:
providing an access controller between a core application and a third-party application, wherein the access controller prevents the third-party application from unauthorized access to the core application, wherein the access controller is independent from the core application;
receiving, by the access controller, a command from the third-party application to access the core application;
receiving, by the access controller, an identifier associated with the command and identifying a secure application, wherein the identifier is one of a two-dimensional bar code, numerical value, or a string, generated by the secure application and transmitted by the third-party application, wherein the third-party application and the secure application execute on a mobile device of a user;
transmitting, by the access controller, an authorization request to the secure application storing credentials of the user, wherein the access controller transmits the authorization request to the secure application based on the identifier;
providing, by the access controller, the third-party application with access to the core application in response to the access controller receiving a notification from the secure application that the command is authorized; and
preventing, by the access controller, the third-party application from accessing the core application in response to the access controller receiving the notification from the secure application that the command is unauthorized.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Clancy et al. US Pub. No.: 2013/0268997 A1 (hereinafter Clancy) in view of Hockey et al US Pub. No: 2019/0318122 A1 (hereinafter Hockey).
Clancy discloses:
As to claim 1, A method for performing secure transactions, comprising: providing an access controller between a core application and a third-party application, wherein the access controller prevents the third-party application from unauthorized access to the core application (see Clancy Figs. 1, 6-7 and ¶¶66 99 101, policy engine 118 [i.e. access controller] determines whether a call, by an application 110 [i.e. third-party application], to execute privileged code [i.e. core application] may be executed application 110 [i.e. third party application] seeking to execute a privileged code service 140, … privileged code policy engine 118 [i.e. access controller] to facilitate determining whether the originating application is authorized to execute the requested privileged code [i.e. core application]… enforce the determination and may either allow or disallow the execution of privileged code service 140 [i.e., access controller prevents the third-party application from unauthorized access to the core application]; ¶103, methods for enforcing security and access control policies on privileged code execution on mobile devices may include calling, by an application 110 to a system controller 134, to execute privileged code; requesting, by the system controller 134 to an inter-process communications controller 138A, for a permission to access the privileged code [i.e. core application]; requesting, by the system controller 134 to a privileged code policy engine 118 [i.e., access controller], a determination whether the application 110 is permitted to access the privileged code; determining, by the privileged code policy engine 118, whether the application 110 may execute the privileged code; and enforcing, by the system controller 134, the determination by the privileged code policy engine 118 [i.e., determining and enforcing whether the application is permitted to access privileged code is preventing the third-party application from unauthorized access to the core application]);
receiving, by the access controller, a command from the third-party application to access the core application (see Clancy ¶92, an application 110 [third-party application] seeking to execute a privileged code service 140 [i.e. a command to access the core application] may attempt to make such a privileged code service 140 execution attempt by interfacing with the system controller 134…this service may make an access decision request of the privileged code policy engine 118 [i.e. access controller receiving a command for access] to facilitate determining whether the originating application is authorized to execute the requested privileged code [i.e. receiving by the access controller a commend from the third-party application to access core application];
providing, by the access controller, the third-party application with access to the core application in response to the access controller receiving notification from the secure application that the command is authorized (see Clancy ¶92, service may make an access decision request of the privileged code policy engine 118 to facilitate determining whether the originating application is authorized to execute the requested privileged code [i.e. provide/prevent command to execute core application]; ¶¶108-109, the policy engine 118 determines whether a call, by an application 110, to execute privileged code may be executed.[i.e. providing/preventing access authorization to the core/privileged code/application]; ¶¶83 127, The policy server 106 [i.e. secure application] may serve policies upon request from the policy engine 118…permissions for applications, processes, users, groups 126, and other policy checks 128; ¶174, the policy engine 118 may be connected to policy server 106, which may push one or more policies 130 as policy data to the policy engine 118 [i.e. receiving notification from secure application]; ¶175, policy engine 118 may be used to enforce one or more security policies on the system 102 [i.e. providing/preventing access authorization to the core/privileged code/application upon receiving a notification from the secure application]); and
preventing, by the access controller, the third-party application from accessing the core application in response to the access controller receiving notification from the secure application that the command is unauthorized (see Clancy ¶92, service may make an access decision request of the privileged code policy engine 118 to facilitate determining whether the originating application is authorized to execute the requested privileged code [i.e. provide/prevent command to execute core application]; ¶¶108-109, the policy engine 118 determines whether a call, by an application 110, to execute privileged code may be executed. In some embodiments, the policy engine 118 [i.e. may be a privileged code policy engine; ¶¶83 127, The policy server 106 [i.e. secure application] may serve policies upon request from the policy engine 118…permissions for applications, processes, users, groups 126, and other policy checks 128; ¶174, the policy engine 118 may be connected to policy server 106, which may push one or more policies 130 as policy data to the policy engine 118 [i.e. receiving notification from secure application]; ¶175, policy engine 118 may be used to enforce one or more security policies on the system 102 [i.e. providing/preventing access authorization to the core/privileged code/application upon receiving a notification from the secure application]);
Although Clancy discloses:
transmitting, by the access controller, an authorization request to a secure application (see Clancy ¶127, policy server 106 may serve policy requests 622 from the policy engine 118 …, permissions for applications, processes, users, groups 126, and other policy checks 128.)
Clancy does not explicitly disclose but the related art Hockey discloses:
transmitting, by the access controller, an authorization request to a secure application storing credentials of a user (see Hockey ¶¶471 488, in order to execute the transaction requested by the external user-facing system/application 1308, the trusted third-party processor system 1312 communicates with the permissions management system 1304 to obtain account details (e.g., account and routing numbers) of the user, and to get authorization to execute the transaction) ;
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify the systems for enforcing access control policies on privileged access for mobile devices disclosed by Clancy to include the secure permissioning of access to user accounts, including secure distribution of aggregated user account data as thought by Hockey. It would have been obvious to a person with ordinary skill in the art to create useful system and method for secure permissioning of access to user accounts, including secure distribution of aggregated user account data (see Hockey ¶5).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Montgomerie et al. US Pub. No.: 20210400037 A1: disclosing, Authenticated interaction with access control system is provided to prevent the surreptitious granting of access to privacy related functionality on an electronic device.
Modi et al. US Pub. No.: 20210392136 A1: disclosing, service and security enhancement of communication services and authorization for access to an application server and associated communication service.
Dunjic et al. US Pub. No.: 20210075791 A1: disclosing, managing third-party access to confidential data using dynamic ally generated application-specific credentials.
Dunjic et al. US Pub. No.: 20210089657 A1: disclosing, a method for data security and, in particular, to systems and methods for evaluating security of third-party applications that request to gain access to a protected data resource
Lin et al. US Pub. No.: 20190220419 A1: disclosing, secure electronic device safeguard intellectual property for the developers and further improves the security of the secure electronic device.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cathy Thiaw can be reached at 5712701138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
NEGA . WOLDEMARIAM
Examiner
Art Unit 2407
/N.W/ Examiner, Art Unit 2407
/Catherine Thiaw/ Supervisory Patent Examiner, Art Unit 2407 6/15/2026