10192999 (P.T.A.B. Sep. 27, 2016)

Ex Parte Foster et al

Patent Trial and Appeal BoardSep 27, 2016

10192999 (P.T.A.B. Sep. 27, 2016)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 10/192,999 07/10/2002 22879 7590 09/29/2016 HP Inc, 3390 E. Harmony Road Mail Stop 35 FORT COLLINS, CO 80528-9544 FIRST NAMED INVENTOR Ward Scott Foster UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 82000022 7182 EXAMINER POPHAM, JEFFREY D ART UNIT PAPER NUMBER 2491 NOTIFICATION DATE DELIVERY MODE 09/29/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): ipa.mail@hp.com barbl@hp.com yvonne.bailey@hp.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte WARD SCOTT FOSTER, ROBERT JOHN MADRIL, JR., and SHELL STERLING SIMPSON Appeal2014-009480 Application 10/192,999 1 Technology Center 2400 Before MAHSHID D. SAADAT, DAVID M. KOHUT, and JUSTIN BUSCH, Administrative Patent Judges. BUSCH, Administrative Patent Judge. DECISION ON APPEAL Appellants seek our review under 35 U.S.C. Â§ 134 of the Examiner's final decision rejecting claims 1-7, 16-19, 26, and 34--42, which are all the claims pending in the application. Claims 8-15, 20-25, and 27-33 were cancelled previously. We have jurisdiction under 35 U.S.C. Â§ 6(b ). We REVERSE. 1 According to Appellants, the real party in interest is Hewlett-Packard Development Company, LP. App. Br. 2. Appeal2014-009480 Application 10/192,999 CLAIMED SUBJECT MATTER Claims 1, 16, and 26 are independent claims. The claims generally relate to "a method and system for providing secure but limited access to a resource in a distributed environment." Spec. i-f 1. Claim 1 is representative and reproduced below: 1. In a computer network, a method for granting a request from a first resource to access a second resource comprising a circuit, said method comprising: with said second resource, receiving a session request to access the second resource in a new session; verifying that the request was received from the first resource; for each individual session request received, verifying that an authorized client directed the first resource to request access to the second resource; and authenticating credentials presented for the client; wherein, for each individual session request for access by the first resource to the second resource, access is granted only for an individual request that is verified as having been initiated by said client. REJECTIONS Claims 1-3, 16-19, and 26 stand rejected under 35 U.S.C. Â§ 102(e) as being anticipated by Buhle (US Pat. No. 6,286,104 Bl, iss. Sept. 4, 2001). Final Act. 9-13. Claims 1, 4--7, 16, 18, 19, 26, 34, and 35 stand rejected under 35 U.S.C. Â§ 103(a) as being obvious in view of Kramer (US Pat. No. 6,986,040 Bl, iss. Jan. 10, 2006). Final Act. 14--19. Claims 2, 3, and 17 stand rejected under 35 U.S.C. Â§ 103(a) as being obvious in view of Kramer and BEA (BEA Systems, Using WebLogic SSL, http://www.weblogic.com/docs51/classdocs/ API_secure.html (last visited Feb. 28, 2006)). Final Act. 19-21. Claims 36-42 stand rejected under 2 Appeal2014-009480 Application 10/192,999 35 U.S.C. Â§ 103(a) as being obvious in view of Kramer and Rosko (US Pat. No. 8,438,086, iss. May 7, 2013). Final Act. 21-24. THE APPLIED PRIOR ART Buhle Buhle is directed to systems and methods "for allowing a middle-tier server in a relational database system to perform database operations on behalf of clients in a manner that ensures proper authentication, accountability and auditing at each tier." Buhle 1:7-11. Buhle purports to address "a need for a relational database system that allows a database administrator to limit or restrict the authority and ability of middle-tier servers," such that the "middle-tier server's actions would be auditable and the administrator would be able to limit the privileges and/or roles of clients and middle-tier servers when a client connects to a data server through a middle-tier server." Id. at 1 :66-2:5. According to Buhle, certain prior art methods were not able to prevent "the middle-tier server from assuming one client's identity (e.g., one with high-level privileges) and performing database operations on its own behalf or on behalf of a different user." Id. at 1 :57---60. Buhle describes that a "middle-tier server through which clients connect to a data server is configured to [both] connect to (e.g., establish a session with) a data server under the middle-tier server's own identity (e.g., application name, server name)" as well as "establish sessions for one or more clients in order to perform database operations on their behalf." Id. at 2:17-23. Kramer Kramer is directed to systems and methods "for establishing a secure communication channel between a client and an application server." Kramer 3 Appeal2014-009480 Application 10/192,999 2: 11-13. Specifically, a client obtains a ticket, which has an identifier and a session key, from a ticket service over a secure communication channel, and sends the identifier to the application server for which access is desired. Id. at 2: 13-18, 2:25-30, 2:36-40. The application server then obtains a copy of the session key from the ticket service. Id. at 2: 19-20, 2:30-33, 2:40-42, 8:5-15. The client and application server then encrypt and decrypt messages using the session key, thus establishing a secure communication channel. Id. at 2:20-24, 2:42--45. In an alternative embodiment, the ticket service transmits the ticket (both the session key and identifier) to the application server without the application server requesting the ticket; the application server then finds the session key locally using the identifier the client transmits. Id. at 8:45-52. Accordingly, Kramer describes various embodiments for granting a client access to an application on an application server and encrypting communications between the client and application server without transmitting client or user credentials in an unsecured manner. Id. at 2: 11-13. OPINION Claim Construction Independent claims 1, 16, and 26 recite a method, computer-readable medium, and system, respectively, for granting a first resource access to a second resource upon verification and authentication of certain details relating to a request for such access. Claim 1 recites, in part, ''for each individual session request received, verifYing that an authorized client directed the first resource to request access to the second resource" and ''for each individual session request for access by the first resource to the second resource, access is granted only for an individual request that is verified as 4 Appeal2014-009480 Application 10/192,999 having been initiated by said client." Independent claims 16 and 26 recite similar limitations. The Examiner states that, because "there is only a single request in claim 1," "stating 'for each individual session request received' .. . [and] 'for each individual session request [for access] by the first resource to the second resource' is meaningless." Ans. 3--4. We disagree. The identified language recited in claims 1, 16, and 26 require the recited systems and method to verify each session request received by the system/method and to grant access to the resource for which access is requested only when the system or method verifies that a client initiated or directed the request. Accordingly, the claims are not directed to systems or methods that do not verify, for each session request received, that "a client directed the first resource to request access to the second resource." Similarly, the claims are not directed to systems or methods in which access is granted to the requested resource when the system or method does not verifY that a client initiated or directed the request. Additionally, the Examiner implicitly interprets the claim to mean that the client directs the first resource to send a request to the second resource seeking access, by the client, to the second resource. See Final Act. 7; Ans. 7. Appellants, on the other hand, implicitly construe the claims to require that the client directs the first resource to request access, by the first resource, to the second resource. See App. Br. 16; Reply Br. 13-14. We have reviewed the claims and the Specification and we agree with Appellants' implicit construction of the claims. Specifically, claim 16 recites "granting that individual request for the first resource to access the second resource." Claim 16, therefore, explicitly states the request is "for the first resource to access the second resource." Claim 1 recites "verifying 5 Appeal2014-009480 Application 10/192,999 that an authorized client directed the first resource to request access to the second resource," and claim 26 recites "a client ... directed the second resource to request to access to the resource service." The Specification provides additional context regarding the claimed invention. In the Background of the Invention, the Specification explains that "granting one resource access to another resource compounds the security considerations." Spec. i-f 5. The Specification identifies a particular security problem that "the user has no assurance that the printing resource will not again access the data resource using the provided credentials without user's consent or knowledge." Id. The Specification also clearly states "the present invention is directed to ... providing a first network resource with secure but limited access to a second network resource," and "the first resource cannot access the second without the user's knowledge or, at least, implicit consent." Id. i-f 6 (emphases added). Accordingly, we determine that the broadest reasonable interpretation of the claims in light of the Specification recite, in part, requests for access, by a first resource, to a second resource. Anticipation of Claims 1-3, 16--19, and 26 by Buhle As discussed above, Buhle discloses a system allowing a middle-tier server to establish a session with (i.e., connect to or access) a data server either on behalf of the middle-tier server itself or on behalf of one or more clients. Buhle 2: 17-23. The Examiner maps the middle-tier server to the recited first resource and the data server to the recited second resource. Thus, because Buhle discloses granting the middle-tier server (first resource) access to the data server (second resource), even when the access requested is not done at the direction of the client, Buhle does not disclose "for each individual session request received, verifying that an authorized client 6 Appeal2014-009480 Application 10/192,999 directed the first resource to request access to the second resource," or "for each individual session request for access by the first resource to the second resource, access is granted only for an individual request that is verified as having been initiated by said client," as recited in claim 1 and commensurately recited in claims 16 and 26. Obviousness of Claims 1-7, 16--19, 26, and 34-42 in view of Kramer Appellants argue Kramer "addresses an entirely different situation than that claimed" because "Kramer describes a 'client' device directly accessing an application server," rather than "the claimed scenario in which a client (operated by an authorized user) directs a first resource to access a second resource." App. Br. 16 (stating Kramer is inapposite because "[t]here is an actor missing in the scenario of Kramer"); Reply Br. 13. Responsive to the Examiner's mappings (i.e., Kramer's ticket service corresponding to the recited first resource and Kramer's application server corresponding to the recited second resource), Appellants assert "Kramer is missing a 'first resource' which accesses a 'second resource' on behalf of the user/client." Reply Br. 14. Appellants further clarify that Kramer's client directly accesses the application server, and "[t]he ticket service in Kramer does not access a resource on behalf of the client, but rather sends the client a key to directly establish a communication channel with the desired resource." Id. (citing Kramer Abstr.). As discussed above, Appellants implicitly argue in this appeal that the proper construction of the claims requires a client directing a first resource to request access, by the first resource, to a second resource and, upon verifying certain information, granting the first resource access to the second resource. Thus, Appellants contend there is an "actor missing" because Kramer's client directly 7 Appeal2014-009480 Application 10/192,999 accesses the application server, and there is no intermediate "actor" that accesses the application server at the direction of the client. App. Br. 16. Given our construction of the claims discussed above, the Examiner has not sufficiently shown that Kramer renders obvious the claims because the Examiner has not identified any disclosure in Kramer that teaches or suggests a request for, or grant of access by, the first resource to the second resource. DECISION For the above reasons, the Examiner's decision to reject claims 1-3, 16-19, and 26 under 35 U.S.C. Â§ 102(e) and to reject claims 1-7, 16-19, 26, and 34--42 under 35 U.S.C. Â§ 103(a) is reversed. REVERSED 8