10205575 (B.P.A.I. Aug. 5, 2009)

Ex Parte Boneh et al

Board of Patent Appeals and InterferencesAug 5, 2009

10205575 (B.P.A.I. Aug. 5, 2009)

UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________ Ex parte DAN BONEH, RAJEEV CHAWLA, THOMAS D. FOUNTAIN, NAGENDRA MODADUGU, and ROD MURCHISON ____________ Appeal 2008-000937 Application 10/205,575 Technology Center 2400 ____________ Decided: August 5, 2009 ____________ Before JOHN A. JEFFERY, THU A. DANG, and CAROLYN D. THOMAS, Administrative Patent Judges. JEFFERY, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from the Examiner’s Appeal 2008-000937 Application 10/205,575 2 rejection of claims 1-52.1 We have jurisdiction under 35 U.S.C. § 6(b). We affirm. STATEMENT OF THE CASE Appellants invented a method for client-side processing such as filtering and caching of secure content using Transport Layer Security (TLS) or Secure Socket Layer (SSL) protocols. A transparent controlled “man-in- the-middle” proxy terminates, caches, switches, and modifies secure client- side content.2 Claim 1 is illustrative with the key disputed limitations emphasized: 1. A computer implemented method for client side transparent content processing, said computer implemented process comprising the acts of: establishing a secure transport session between a client and a server via a transparent controlled man-in-the-middle proxy; 1 Although claims 1-68 are currently pending, the Notice of Appeal indicates that Appellants appeal the rejection of claims 1-52. See Notice of Appeal filed Oct. 10, 2006. The Appeal Brief, however, indicates that the rejection of claims 1-60 and 63-68 is appealed, and unambiguously states that the rejection of claim 62 is not appealed. See App. Br. 2, 23. Despite Appellants’ apparent intent to appeal claims 1-60 and 63-68 in the Appeal Brief, our jurisdiction to decide the present appeal is nonetheless constrained by the Notice of Appeal which unambiguously limited the appeal to the rejection of claims 1-52. Accordingly, we confine our decision to those claims. See Ex parte Ghuman, 88 USPQ2d 1478 (BPAI 2008) (precedential), available at http://www.uspto.gov/web/offices/dcom/bpai/prec/rm081175.pdf. Following our decision, the Examiner should cancel the non-appealed claims. See id.; see also MPEP § 1215.03, Rev. 3, Aug. 2005. 2 See generally Abstract; Spec. 9-10; Fig. 4. Appeal 2008-000937 Application 10/205,575 3 receiving, via the secure transport session, at said controlled man-in- the-middle proxy, a client request intended for said server, at least a portion of said client request being encrypted; decrypting said client request; and processing said decrypted client request. The Examiner relies on the following as evidence of unpatentability: Ramasubramani US 6,233,577 B1 May 15, 2001 Munger US 6,502,135 B1 Dec. 31, 2002 (filed Feb. 15, 2000) Bellwood US 6,584,567 B1 June 24, 2003 (filed June 30, 1999) Mastrianni US 6,615,276 B1 Sept. 2, 2003 (filed Feb. 9, 2000) 1. The Examiner rejected claims 1-14, 18, 21-29, 33, 36-51, 55, 58, 59, and 62 under 35 U.S.C. § 102(e) as anticipated by Bellwood. Ans. 3- 18. 2. The Examiner rejected claims 15, 16, 19, 20, 30, 31, 34, 35, 52, 53, 56, 57, and 63-68 under 35 U.S.C. § 103(a) as unpatentable over Bellwood and Ramasubramani. Ans. 19-27. 3. The Examiner rejected claims 17, 32, and 54 under 35 U.S.C. § 103(a) as unpatentable over Bellwood, Ramasubramani, and Munger. Ans. 27-28. 4. The Examiner rejected claim 60 under 35 U.S.C. § 103(a) as unpatentable over Mastrianni and Bellwood. Ans. 29-32. Appeal 2008-000937 Application 10/205,575 4 Rather than repeat the arguments of Appellants or the Examiner, we refer to the Briefs and the Answer3 for their respective details. In this decision, we have considered only those arguments actually made by Appellants. Arguments which Appellants could have made but did not make in the Briefs have not been considered and are deemed to be waived. See 37 C.F.R. § 41.37(c)(1)(vii). THE ANTICIPATION REJECTION Regarding representative claim 1,4 the Examiner finds that Bellwood discloses all of the claimed subject matter. In reaching this conclusion, the Examiner equates Bellwood’s “middle” transcoding proxy 15 to the recited “transparent controlled man-in-the-middle proxy” since it functions without the server’s knowledge or participation. Ans. 4, 5, 33-36. According to the Examiner, the operation of Bellwood’s transcoding proxy fully meets “client side transparent content processing” since the transcoding proxy functions on the client’s behalf without the server’s knowledge or participation. Ans. 35. 3 Throughout this opinion, we refer to (1) the Appeal Brief filed December 4, 2006; (2) the Examiner’s Answer mailed March 19, 2007; and (3) the Reply Brief filed May 18, 2007. 4 Appellants argue seven different grounds pertaining to the following claims and their dependent claims: (1) claim 1 (App. Br. 6-12); (2) claim 9 (App. Br. 13-14); (3) claim 14 (App. Br. 14-15); (4) claim 24 (App. Br. 16- 19); (5) claim 38 (App. Br. 20); (6) claim 46 (App. Br. 20-21); (7) claim 51 (App. Br. 21). Accordingly, we group the claims as follows: (1) claims 1-8 and 23; (2) claims 9-14, 18, 21, and 22; (3) claims 24-29, 33, 36, 37, and 46-51; and (4) claims 38-45. We also select claims 1, 9, 24, and 38 as representative of each respective group. See 37 C.F.R. § 41.37(c)(1)(vii). Appeal 2008-000937 Application 10/205,575 5 Appellants argue that Bellwood’s transcoding proxy is not a transparent proxy as the term is understood by skilled artisans. Appellants cite a definition of the term “transparent proxy” as “a proxy that does not modify the request or response beyond what is required for proxy authentication and identification.” App. Br. 6; Reply Br. 5. Based on this definition, Appellants contend that Bellwood’s transcoding proxy is not transparent since it modifies data to satisfy the client’s transcoding needs. App. Br. 6; Reply Br. 5-6. Appellants further contend that Bellwood’s transcoding proxy is not a “man-in-the-middle” proxy since a man-in-the-middle proxy is able to read, insert, and modify messages between a client and server without either party knowing. App. Br. 7; Reply Br. 6. Appellants emphasize that the client in Bellwood is aware of the proxy and, as such, the proxy is not a man-in-the- middle proxy. App. Br. 6-12; Reply Br. 6-7. Appellants also argue that Bellwood does not disclose client side transparent content processing as claimed, as well as a man-in-the-middle proxy that intercepts client requests intended for a server as claimed. App. Br. 12. Regarding claim 9, the Examiner finds that Bellwood (a) discloses that the proxy “intercepts” a client request to establish a client-server session with the server in Step (3) of Figure 4 (i.e., the client’s HTTP CONNECT request with a request for a session identifier), and then (b) establishes a client-proxy secure session such that the client interprets this session as the requested client-server secure session as claimed. Ans. 36-37.5 5 Regarding claim 9, the Examiner refers to the Response to Argument section in connection with claim 24 in view of their similar limitations. Ans. Appeal 2008-000937 Application 10/205,575 6 Appellants argue that Bellwood’s client request is not intercepted as the Examiner contends since it is directed to the proxy itself. Appellants add that the server has not been introduced at this point in the session since the session is between the client and the proxy. App. Br. 14, 17, 19; Reply Br. 8-10. Moreover, Appellants contend, the client is not tricked by the proxy into believing that the client-proxy secure session is a requested client-server secure session. App. Br. 19. The issues before us, then, are as follows: ISSUES 1. Under § 102, have Appellants shown that the Examiner erred in rejecting claim 1 by finding that: (a) Bellwood’s transcoding proxy constitutes a “transparent controlled man-in-the-middle proxy”; (b) Bellwood discloses “client side transparent content processing”; and (c) Bellwood’s transcoding proxy receives a client request intended for a server? 2. Under § 102, have Appellants shown that the Examiner erred in rejecting claim 9 by finding that: (a) Bellwood’s proxy intercepts a client request to establish a client- server session with the server in step (3) of Figure 4, and 41. We likewise refer to Appellants’ arguments regarding claim 24 in connection with claim 9. Appeal 2008-000937 Application 10/205,575 7 (b) Bellwood establishes a client-proxy secure session such that the client interprets this session as the requested client-server secure session? FINDINGS OF FACT The record supports the following findings of fact (FF) by a preponderance of the evidence: Bellwood 1. Bellwood discloses a method of enabling a proxy (15 or 15”) to participate in a secure communication between a client (10’ or 10”) and a set of servers (12’ or 12”). To this end, the client establishes two distinct secure sessions between the client and the proxy. Bellwood, Abstract; col. 2, ll. 45- 50; col. 4, l. 65 − col. 5, l. 10; Figs. 2-4. 2. The first secure session is used as a pipe or conduit for passing secret information between the client and the proxy. The second secure session, however, uses the proxy to tunnel6 to the origin server 12’. Bellwood, col. 5, ll. 2-10; Fig. 3. 3. After authenticating the validity of the requested certificate received from the proxy in the first session, the client then requests to tunnel to a given origin server (e.g., using the HTTP CONNECT method). As part of this request, the client adds a header to the HTTP request notifying the proxy to generate an internal session identifier. Bellwood, col. 5, ll. 40-52; Figs. 3A (steps 20, 22, and 24) and 4. 4. After the proxy generates a unique session identifier and returns this information to the client, the proxy establishes a connection with the 6 “A tunnel is an intermediary program that acts as a blind relay between two connections.” Bellwood, col. 5, ll. 10-11. Appeal 2008-000937 Application 10/205,575 8 origin server and allows data to flow between the client and the origin server. At this point, the proxy behaves like a tunnel. Bellwood, col. 5, ll. 54-61; Figs. 3A (steps 26 and 28) and 4. 5. Once the proxy receives the internal session identifier and the session master secret from the client, the proxy then switches to an “active proxy” for the current connection with the origin server. Bellwood, col. 5, l. 66 − col. 6, l. 9; Figs. 3A, 3B (steps 32 and 34), and 4. 6. The client then sends a secure HTTP request for a resource on the origin server. Optionally, the proxy may (1) decrypt the request; (2) modify it; (3) encrypt the new request; and (4) send the encrypted new request to the origin server. Bellwood, col. 6, ll. 10-13; Fig. 3B (steps 36 and 38) and 4. 7. Upon receipt, the origin server satisfies the request and sends reply data back to the proxy. The proxy then (1) decrypts the received content, and (2) modifies the data to satisfy the client’s transcoding needs. Bellwood, col. 6, ll. 14-19; Fig. 3B (steps 40 and 42) and 4. 8. The origin server is preferably unaware of the proxy’s participation in the secure connection. Bellwood, col. 2, ll. 57-61; col. 6, ll. 15-17; col. 7, ll. 15-18. 9. The client performs a handshake with the origin server to negotiate a session master secret, and the proxy does not become an “active proxy” until the client forwards the session master secret. Bellwood, col. 5, ll. 61- 66; Figs. 3A (step 30) and 4. Appeal 2008-000937 Application 10/205,575 9 PRINCIPLES OF LAW Anticipation is established only when a single prior art reference discloses, expressly or under the principles of inherency, each and every element of a claimed invention as well as disclosing structure which is capable of performing the recited functional limitations. RCA Corp. v. Appl. Dig. Data Sys., Inc., 730 F.2d 1440, 1444 (Fed. Cir. 1984); W.L. Gore & Assoc., Inc. v. Garlock, Inc., 721 F.2d 1540, 1554 (Fed. Cir. 1983). During patent examination, claims are given their broadest reasonable interpretation in light of the Specification as it would be interpreted by skilled artisans. Phillips v. AWH Corp., 415 F.3d 1303, 1316 (Fed. Cir. 2005) (en banc) (citations omitted). ANALYSIS Claims 1-8 and 23 We begin by construing the first key disputed limitation of claim 1, namely a “transparent proxy.” Although Appellants provide a definition of such a proxy as one “that does not modify the request or response beyond what is required for proxy authentication and identification” (App. Br. 6; Reply Br. 5), we find nothing on this record that mandates this definition of the term. Rather, as Appellants indicate (Reply Br. 6), the term “transparent” in the computer context can also mean “(of a process or software) operating in such a way as to not be perceived by users.” This broader definition not Appeal 2008-000937 Application 10/205,575 10 only reasonably comports with the Specification, but also another computer dictionary which defines the term “transparent” as “[n]ot visible, hidden; said of a system which functions in a manner not evident to the user. . . .”7 Despite Appellants’ contentions to the contrary (Reply Br. 6), we see no error in the Examiner’s position (Ans. 34) that Bellwood’s transcoding proxy constitutes a “transparent proxy” at least with respect to the server. It is undisputed that Bellwood’s server is unaware of the proxy’s participation in the secure connection of the second session. FF 8. Although the client is aware of the proxy’s participation by virtue of the client’s affirmative interaction with the proxy to establish both sessions (see FF 2-5), the scope of the term “transparent proxy” simply does not preclude the proxy’s transparency with respect to only the server. Further, Bellwood’s transparent content processing method is a “client side” process since the client affirmatively establishes the secure sessions. See FF 1-5. We likewise see no error in the Examiner’s equating Bellwood’s transcoding proxy to a “man-in-the-middle” proxy. Although Appellants argue that such a proxy is able to observe and intercept messages between a server and client without either party knowing of the existence of the proxy (App. Br. 7; Reply Br. 6), Appellants have provided no evidence before us that mandates such a narrow construction of the term. We therefore decline to adopt this narrower interpretation, and instead interpret the term with its broadest reasonable interpretation in light of the Specification. See Phillips, 7 Foldoc Free On-Line Dictionary of Computing, Imperial Coll. Dept. of Computing, Denis Howe ed., at http://foldoc.org/transparent (last visited July 25, 2009). Appeal 2008-000937 Application 10/205,575 11 415 F.3d at 1316. As such, we interpret a “man-in-the-middle proxy” as one that is interposed or otherwise situated between two entities (e.g., a client and server). As shown in Figure 4, Bellwood’s transcoding proxy is an intermediate entity that is interposed between the client and the server. See FF 1. Bellwood explains that this intervening proxy is used for, among other things, (1) tunneling to the server; (2) modifying client requests; and (3) tailoring content received from the server to suit the client’s needs. See FF 2-7. As we indicated previously, this process is transparent at least with respect to the server. See FF 8. Based on this functionality, we see no error in the Examiner’s position that Bellwood’s transcoding proxy constitutes a “man-in-the-middle” proxy. We also find unavailing Appellants’ contention (App. Br. 12) that Bellwood’s proxy is not a man-in-the-middle proxy that intercepts client requests. Although the term “intercept” is not recited in claim 1, the claim does call for the proxy to receive, decrypt, and process a client request intended for the server. These steps, however, are fully met by the client in Bellwood sending a secure HTTP request for a resource on the origin server. See FF 6. That is, the client’s request is ultimately intended to be fulfilled by the server. See id. But the proxy can decrypt and modify this request, and send an encrypted new request to the server. Id. The fact that this intervention on the part of the proxy is optional (FF 6) is telling in this regard since it further reinforces the notion that the client’s request is ultimately intended for the server—not the proxy. And when the proxy is used in this fashion, it would Appeal 2008-000937 Application 10/205,575 12 certainly (1) receive an encrypted client request intended for the server; (2) decrypt this request; and (3) process the decrypted request as claimed. See id. For the foregoing reasons, Appellants have not persuaded us of error in the Examiner’s rejection of representative claim 1. Therefore, we will sustain the Examiner’s rejection of that claim, and claims 2-8 and 23 which fall with claim 1. Claims 9-14, 18, 21, and 22 We will not, however, sustain the Examiner’s rejection of claim 9 which recites the step of “intercepting” a request. We begin by construing the key disputed term “intercepting.” The term “intercept” is defined, in pertinent part, as “to stop, seize, or interrupt in progress or course or before arrival” or, alternatively, “to receive (a communication or signal directed elsewhere) usually secretly.”8 Based on these definitions, “intercepting” a request requires receiving the request prior to its arrival at its destination. As such, the Examiner’s assertion that Bellwood’s proxy “intercepts” a client-issued request to establish a secure session with the original server in step (3) of Figure 4 (Ans. 36-37) is problematic. As Figure 4 illustrates, step (3) corresponds to the client’s initial request to tunnel to the origin server in the second session. FF 3. But this request is directed to the proxy—not the server. That is, this request merely asks the proxy to (1) 8 Merriam-Webster’s Online Dictionary, at http://www.merriam- webster.com/dictionary/intercept (emphasis added). Appeal 2008-000937 Application 10/205,575 13 tunnel to the server, and (2) generate and send a session identifier to the client. Id. As such, the proxy does not intercept this request, but merely receives (and processes) it as the intended recipient. Nor do we find that Bellwood establishes a client-proxy secure session such that the client interprets this session as the requested client- server secure session as the Examiner contends (Ans. 37). Bellwood does establish a client-proxy connection in the second session in which the proxy functions as an “active proxy” and can modify requests destined for the server (FF 5-6). But nothing in Bellwood indicates that the client interprets this client-proxy secure session as the requested client-server secure session as claimed. In fact, the client-server connection is established before the proxy becomes active (i.e., before the client forwards the master session secret) (FF 9)), and there is simply nothing to suggest that the client-proxy session is interpreted as the client-server session. For the foregoing reasons, Appellants have persuaded us of error in the Examiner’s rejection of claim 9. Therefore, we will not sustain the Examiner’s rejection of that claim, and dependent claims 10-14, 18, 21, and 22 for similar reasons. Claims 24-29, 33, 36, 37 and 46-51 Since claims 24 and 46 recite limitations commensurate with those recited in claim 9, we will not sustain the Examiner’s rejection of claims 24 and 46 for the reasons indicated above with respect to claim 9. Likewise, we will reverse the rejection of dependent claims 25-29, 33, 36, 37 and 47-51 for similar reasons. Appeal 2008-000937 Application 10/205,575 14 Claims 38-45 Since independent claim 38 recites limitations commensurate with those recited in claim 1, we will sustain the Examiner’s rejection of independent claim 38 for the reasons indicated above with respect to claim 1. Likewise, we will sustain the Examiner’s rejection of dependent claims 39-45, which are not separately argued. THE OBVIOUSNESS REJECTIONS Since we find that the additionally cited references in the obviousness rejections do not cure the deficiencies noted above with respect to claims 9, 24 and 46, we will not sustain the obviousness rejections of claims 15-17, 19, 20, 30-32, 34, 35, and 52 for similar reasons. CONCLUSIONS Appellants have not shown that the Examiner erred in rejecting claims 1-8, 23, and 38-45 under § 102. Appellants, however, have shown that the Examiner erred in rejecting claims 9-14, 18, 21, 22, 24-29, 33, 36, 37, and 46-51 under § 102, and (2) claims 15-17, 19, 20, 30-32, 34, 35, and 52 under § 103. ORDER The Examiner’s decision rejecting claims 1-52 is affirmed-in-part. Appeal 2008-000937 Application 10/205,575 15 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED-IN-PART pgc DRINKER BIDDLE & REATH ATTN: INTELLECTUAL PROPERTY GROUP ONE LOGAN SQUARE 18TH AND CHERRY STREETS PHILADELPHIA, PA 19103-6996