Ex Parte Foster et alDownload PDFBoard of Patent Appeals and InterferencesSep 10, 201010373990 (B.P.A.I. Sep. 10, 2010) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________ Ex parte WARD SCOTT FOSTER, ROBERT JOHN MADRIL JR. and SHELL STERLING SIMPSON ____________ Appeal 2009-006433 Application 10/373,990 Technology Center 2400 ____________ Before JOHN A. JEFFERY, HOWARD B. BLANKENSHIP, and JAMES R. HUGHES, Administrative Patent Judges. Opinion for the Board filed by Administrative Patent Judge JOHN A. JEFFERY. Opinion Dissenting-In-Part filed by Administrative Patent Judge HOWARD B. BLANKENSHIP. JEFFERY, Administrative Patent Judge. DECISION ON APPEAL1 1 The two-month time period for filing an appeal or commencing a civil action, as recited in 37 C.F.R. § 1.304, or for filing a request for rehearing, as recited in 37 C.F.R. § 41.52, begins to run from the “MAIL DATE” (paper delivery mode) or the “NOTIFICATION DATE” (electronic delivery mode) shown on the PTOL-90A cover letter attached to this decision. Appeal 2009-006433 Application 10/373,990 2 Appellants appeal under 35 U.S.C. § 134(a) from the Examiner’s rejection of claims 1-51. We have jurisdiction under 35 U.S.C. § 6(b). We affirm-in-part. STATEMENT OF THE CASE Appellants invented a method and system for accessing a resource securely. See generally Spec. ¶¶ 0001, 0006. Claim 1 is illustrative: 1. In a computer network, a method for granting a request from a first resource to access a second resource, comprising: associating a check with data identifying an expected source of a future request to access the second resource; receiving, from the first resource, a request to access the second resource, the request including the check and data identifying the first resource; authenticating the check; and granting the request to access the second resource only if the check is authentic and data identifying the first resource matches the data identifying the expected source associated with the check. The Examiner relies on the following as evidence of unpatentability: Villavicencio US 7,231,661 B1 June 12, 2007 (filed June 21, 2001) The Examiner rejected claims 1-51 under 35 U.S.C. § 102(e) as anticipated by Villavicencio. Ans. 3-18.2 2 Throughout this opinion, we refer to (1) the Appeal Brief filed March 10, 2008; (2) the Examiner’s Answer mailed May 29, 2008; and (3) the Reply Brief filed July 29, 2008. Appeal 2009-006433 Application 10/373,990 3 CLAIM GROUPING Appellants argue the following claim groupings separately: (1) claims 1-3, 20-22, and 39-41; (2) claims 4-9, 23-28, and 42-45; (3) claims 10-14, 29-33, and 46-51; and (4) claims 15-19 and 34-38. See App. Br. 10-15; Reply Br. 4-8. Accordingly, we select claims 4 and 10 as representative of groups (2)-(3), respectively. See 37 C.F.R. § 41.37(c)(1)(vii). CONTENTIONS Regarding independent claim 1, the Examiner finds that Villavicencio discloses all recited elements, including granting the request to access a second resource if the check is authentic and data identifying the first resource matches with the data identifying the expected source associated with the check by using an authorization scheme to examine an authentication level and Villavicencio’s authentication cookie. Ans. 3-5. Appellants argue that Villavicencio does not mention: (1) the second request includes data identifying the request’s source, and (2) granting the second request only if data identifying the first resource matches with data identifying the expected source associated with the cookie. App. Br. 10-11; Reply Br. 4. As for representative independent claim 4, the Examiner finds that Villavicencio discloses all the recitations, including receiving a request for a check and associating the check with the data identifying the first resource by requesting a resource that receives an authentication cookie. Ans. 6-7. Appellants argue that Villavicencio does not receive a request for a cookie but rather requesting access to a resource and does not associate the cookie with data identifying the first resource. App. Br. 12; Reply Br. 5-7. Appeal 2009-006433 Application 10/373,990 4 Regarding representative independent claim 10, the Examiner finds Villavicencio discloses all the recitations. Ans. 9-11. Referring to the arguments made for claims 1 and 4, Appellants assert that Villavicencio fails to disclose receiving a request for a check, associating the check with the data identifying the first resource, and granting the request for a second resource. App. Br. 13; Reply Br. 7-8. Finally, as for independent claim 15, the Examiner finds Villavicencio discloses all the recitations. Ans. 12-15. Again, referring to the arguments made for claims 1 and 4, Appellants assert that Villavicencio fails to disclose receiving a request for a check, associating the check with the data identifying the first resource, and granting the request for a second resource. App. Br. 13-14. Appellants also contend that Villavicencio’s web gate creates the information in the cookie, and thus, the browser or first resource does not sign the check as recited. App. Br. 14-15; Reply Br. 8. The issues before us, then, are as follows: ISSUES Under § 102, has the Examiner erred by finding that Villavicencio discloses: (1) granting the second resource request only if the check is authentic and data identifying the first resource matches the data identifying the expected source associated with the check as recited in claim 1; (2) (a) receiving a request for a check, and (b) associating the check with the data identifying the first resource as recited in claim 4; (3) (a) receiving a request for a check; (b) associating the check with the data identifying the first resource; and (c) granting the request to access Appeal 2009-006433 Application 10/373,990 5 the second resource only if the check is authentic and is signed with data matching the data identifying the first resource associated with the check as recited in claim 10; and (4) the first resource signs the check with data identifying the first resource as recited in claim 15? FINDINGS OF FACT 1. Appellants define a check as “a unique piece of electronic data to be presented when requesting access to resource 26.” Spec. ¶ 0025. 2. Villavicencio discloses an authentication system that includes associating user identification information with a request to access a first resource and is used to create information for a cookie if the user satisfies the authorization rule. The cookie is passed to the user’s browser and stored on a client associated with the request. Villavicencio, col. 2, ll. 23-32; col. 22, ll. 6-14. 3. Villavicencio states the user can request access to a second resource. The request includes the authentication cookie’s content and is sent by the user’s browser. The cookie is evaluated. If the authentication level for the first resource is equal to or greater than the authentication level of the second resource, re-authentication is not required. Otherwise, the user must re-authenticate. Villavicencio, col. 2, ll. 33-38; col. 22, ll. 14-29. 4. Villavicencio explains that a cookie 1450 includes user identification information, including an authentication level 1452, a user ID 1454 of the authenticated user, an IP address 1456 of an authenticated user, and a secure hash 1462. Villavicencio, col. 37, ll. 14-19, 28-33; Fig. 37. Appeal 2009-006433 Application 10/373,990 6 ANALYSIS Claims 1-3, 20-22, and 39-41 Based on the record before us, we find error in the Examiner’s anticipation rejection of independent claim 1 which calls for, in pertinent part, granting a request to access a second resource only if the check is authentic and data identifying the first resource matches the data identifying the expected source that is associated with the check. Villavicencio discloses a process for granting a request that includes associating user identification information with a request from a first resource (e.g., a user’s browser) and is used to create a cookie. See FF 2. Notably, Villavicencio explains that the cookie contains the user’s identification information (e.g., user ID 1454, user’s IP address 1456), and thus, this data is associated with the cookie in order to create the cookie. FF 4. Because the first resource also requests access to other resources (FF 3), Villavicencio’s cookie associates data identifying an expected source of a future request (e.g., user’s IP address) to access a second resource as recited in claim 1. When Villavicencio receives a request to access a second resource, Villavicencio states that the cookie’s contents, including user ID 1454 and user’s IP address 1456, are included with this second request. Thus, Villavicencio’s cookie is also a “check” or unique data (e.g., user ID, user IP address) presented when requesting a resource. See FF 1, 3, 4. Moreover, we take notice that, when a browser’s request is sent, information (e.g., the user’s IP address) about the browser (e.g., the first resource) is also included so that the requested resource returns to the proper source. We therefore disagree with Appellants (App. Br. 10) that Villavicencio fails to disclose Appeal 2009-006433 Application 10/373,990 7 the request includes the check (e.g., the cookie) and data identifying the first resource (e.g., user’s IP address) as recited in claim 1. Nonetheless, at best, Villavicencio teaches re-authenticating the cookie for the second resource request. See FF 3. Villavicencio fails to discuss additionally granting the request only if the data identifying the first resource matches the data identifying the expected source associated with the check. That is, Villavicencio discusses no affirmative step of matching data identifying the first and expected source as recited. Whether or not such a comparison would have been obvious to an ordinary artisan is not an issue before us, and we will not engage in this inquiry on appeal in the first instance. We are therefore persuaded that the Examiner erred in rejecting (1) independent claim 1; (2) independent claims 20 and 39 which recite commensurate limitations; and (3) claims dependent thereon for similar reasons. Since this issue is dispositive of our reversal of the Examiner’s rejection, we need not address Appellants’ other arguments pertaining to this issue (App. Br. 10, 11, 15). Claims 4-9, 23-28, and 42-45 ADDITIONAL FINDINGS OF FACT 5. Villavicencio discloses a web browser 12 requests a resource 22. If resource is protected, the method will pass any valid authentication cookies with the request at step 750. Web Gate 28 will see if the cookie is valid at step 754. If no valid authentication cookie is received at step 754, the method attempts to authenticate the user at steps 760 and 762. If authentication for the resource is successful, the Web Gate 28 passes the Appeal 2009-006433 Application 10/373,990 8 cookie to and is stored by the browser 12 at step 780. Villavicencio, col. 2, ll. 23-32; col. 22, ll. 37-67; Figs. 1, 22. ANALYSIS Based on the record before us, we find no error in the Examiner’s anticipation rejection. Claim 4 recites associating the check with the data identifying the first resource. As explained above, when a user requests a resource, the request must include data identifying the network resource (e.g., a user’s IP address) so that requested information can be returned to the user’s browser (e.g., the first resource). Villavicencio further states that the request, in turn, returns a cookie as part of the authentication scheme. FF 2. Thus, in effect, Villavicencio’s request for information (see FF 2) is also a request for a check that is received by server 28 and sent to the user’s browser (e.g., the first resource). See FF 3, 5. Again, in order for the system to know where to the send the cookie, Villevicecio must have obtained such data identifying the first resource with the request. Villevicecio therefore discloses receiving a request for a check that includes data identifying the first network resource. Villavicencio further demonstrates that an authentication cookie is sent with the request for a second resource or generating a check (e.g., cookie) to be submitted by the first resource when requesting a second resource. See FF 3. By including a user’s IP address with the cookie (see FF 4), this data identifying a first resource (e.g., user’s IP address) must have been associated with the cookie. See also Ans. 20-21. Additionally, the recited associating step in claim 4 does not have to be performed before the generating step. That is, the receiving step recites “a check” and thus the Appeal 2009-006433 Application 10/373,990 9 succeeding method steps that recite “the check” do not require a particular order. See Altiris, Inc. v. Symantec Corp., 318 F.3d 1363, 1369 (Fed. Cir. 2003) (citations omitted) (indicating method steps are not ordinarily construed to require an order unless they expressly or implicitly require performance in that order). Villavicencio therefore discloses associating the check with the data identifying the first resource as recited in claim 4. For the foregoing reasons, Appellants have not shown error in the anticipation rejection of independent claim 4 based on Villavicencio. We therefore sustain the rejection of claim 4, and claims 5-9, 23-28, and 42-45 which fall with claim 4. Claims 10-14, 29-33, and 46-51 ADDITIONAL FINDINGS OF FACT 6. Appellants have not defined “a signed check” or “sign.” See generally Specification. 7. Villavicencio states that authentication can involve a certificate authentication. During certificate authentication challenges, a user’s browser can resend user authentication information to a Web Server. Villavicencio, col. 20, ll. 6-8; col. 31, ll. 28-47; col. 33, ll. 41-47; col. 37, ll. 33-37. ANALYSIS Based on the record before us, we find no error in the Examiner’s anticipation rejection of representative independent claim 10. For the recitations of receiving a request for a check and associating the check with Appeal 2009-006433 Application 10/373,990 10 the data identifying the first resource, we refer Appellants to our previous discussion of claim 4. As for the remaining contested limitation of granting the request to access the second resource, we find that the scope of this claim differs from claim 1. Claim 10 recited “granting the request to access the second resource only if the check is authentic and is signed with the data matching the data identifying the first resource associated with the check.” The Specification has not defined a “signed check” or “sign.” See FF 6. Giving this claim its broadest reasonable construction, a check “is signed” includes generating a portion of the check and marking the check with data. See In re Am. Acad. of Sci. Tech Ctr., 367 F.3d 1359, 1364 (Fed. Cir. 2004)(internal citations and quotations omitted). Villavicencio teaches multiple markings or signatures on a cookie (e.g., a check), including the user’s IP address. See FF 4. Villavicencio therefore discloses associating data identifying the first resource (e.g., user’s IP address) with the cookie so as to organize the data that forms the cookie. See FF 2, 4. Villavicencio then discloses marking or signing the check with data identifying the first resource associated with the check (e.g., the cookie includes user IP address 1456) to create the check’s (e.g., cookie’s) contents. See id. Furthermore, the request is granted only if the check is authentic, and this authentication cannot be accomplished with evaluating the cookie that is signed with data identifying the first resource (e.g., user IP address) associated with the cookie or check. See FF 4-5. We therefore find that the request for the second resource is only granted if the check is authentic and is signed with data matching the data identifying the first resource associated with the check as recited in claim 10. Appeal 2009-006433 Application 10/373,990 11 For the foregoing reasons, Appellants have not shown error in the anticipation rejection of independent claim 10. We therefore sustain the rejection of claim 10, and claims 11-14, 29-33, and 46-51 which fall with claim 10. Claims 15-19 and 34-38 ADDITIONAL FINDINGS OF FACT 8. Villavicencio discloses web servers 1070, 1072, 1074, each server hosting a different domain. The event handler 512 determines the master domain and redirects the browser 1082 to the master (step 1036, path 1086) if the domain of the requested resource is not master domain. Once authenticated, an authentication cookie is passed to the user’s browser (step 1040, path 1088) and the browser is redirected to the first domain (step 1042, path 1090). Master domain also passes information contained in the cookie to the first domain in the query portion of the redirection URL (also step 1042, path 1090). The first domain sends its own authentication cookie to the web browser 1082 (see path 1092). Villavicencio, col. 29, ll. 11-49; col. 30, l. 39 – col. 40, l. 10; Figs. 28-29. ANALYSIS Based on the record before us, we find error in the Examiner’s anticipation rejection of representative claim 15. Among other limitations, claim 15 recites “generating a check” and “the first resource signing the check with data identifying the first resource.” The scope of claim 15 differs from claim 10 by specifying which resource signs the check. Again, giving Appeal 2009-006433 Application 10/373,990 12 this claim its broadest reasonable construction, at least a portion of the check must be generated before it is signed by the first resource. As discussed above, Villavicencio discloses creating or generating a check (e.g., a cookie), which is returned to the first resource for storage. See FF 2, 3, 5. Moreover, Villavicencio discloses the check (e.g., cookie) includes a secured hash 1462. See FF 4. While this hash is associated with the cookie, Villavicencio discloses the server (e.g., web gate 28) includes this information as part of the cookie (see FF 2, 5), and not the first resource (e.g., the browser). Additionally, Villavicencio states that the first resource (e.g., user’s browser) attaches the cookie to a request (FF 3). However, attaching a cookie to a request falls short of marking or signing a cookie with data identifying the first resource. Notably, since claim 15 further recites submitting the signed check with a request, the request cannot also be considered the data identifying the first resource that signs the check (e.g., cookie) as required by claim 15. Villavicencio further discusses an authentication scheme that includes a certificate supplied by a user’s browser or a first resource. See FF 7. However, Villavicencio provides no details that this certificate is supplied such that the browser marks the cookie with the certificate. See id. Furthermore, while Villavicencio may likely include other information with the cookie when sending the request and for authentication, possibilities and probabilities are insufficient to establish anticipation. See In re Robertson, 169 F.3d 743, 745 (Fed. Cir. 1999) (internal citations and quotation marks omitted). Lastly, the Examiner discusses Figures 28 and 29 in Villavicencio. Ans. 14, 21-23. In this scenario, the browser is redirected to a master Appeal 2009-006433 Application 10/373,990 13 domain for authentication. Both the master domain and the domain accessed by the user provide their own authentication cookie to the user’s browser. Id. However, there is still no discussion that the first resource (e.g., the browser) signs data identifying the first resource (see id.) as required by claim 15. We therefore are constrained to find that the Examiner erred in rejecting (1) independent claim 15; (2) independent claim 34 which recites commensurate limitations; and (3) claims dependent thereon for similar reasons. Since this issue is dispositive of our reversal of the Examiner’s rejection, we need not address Appellants’ other arguments (App. Br. 14). CONCLUSION Under § 102, the Examiner erred in rejecting claims 1-3, 15-22, and 34-41, but did not err in rejecting claims 4-14, 23-33, and 42-51. ORDER The Examiner’s decision rejecting claims 1-51 is affirmed-in-part. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED-IN-PART Appeal 2009-006433 Application 10/373,990 14 BLANKENSHIP, Administrative Patent Judge, dissenting-in-part. Because I disagree that representative claim 15 has been shown to distinguish over Villavicencio, I respectfully dissent from the decision to reverse the rejection of claims 15-19 and 34-38. In my view, a “check” is not “defined” as “a unique piece of electronic data to be presented when requesting access to resource 26” (FF 1). The Specification (¶ 0025) indicates that “a check may be an alphanumeric string of a specified length.” In light of the Specification, I would interpret a “check” to be a unique piece of electronic data that can be presented when requesting access to a resource, and which may be embodied as an alphanumeric string. I agree with the majority that Appellants have not defined “sign” or “a signed check” (FF 6). I further note that Appellants have not defined what the act of “signing” a check may require. I endorse the majority’s reasoning in support of why instant claim 10, which recites granting access to a resource “only if the check is authentic and is signed with data matching the data identifying the first resource associated with the check,” is met by the reference. In particular, Villavicencio discloses marking or signing the check with data identifying the first resource associated with the check (e.g., the cookie includes user IP address 1456; Fig. 37) to create the check’s (e.g., cookie’s) contents. Claim 15 recites “the first resource signing the check with data identifying the first resource.” The Specification (¶ 0035) teaches that “it is expected that resource module 24 [Fig. 2] will sign the check using a digital certificate identifying application service 12” and (¶ 0042) that “[c]lient 16 . . . routes the new check to application service 12 which signs and provides Appeal 2009-006433 Application 10/373,990 15 the new check with a request to retrieve the selected document from resource 26.” However, it is improper to “import limitations into claims from examples or embodiments appearing only in a patent’s written description, even when a specification describes very specific embodiments of the invention or even describes only a single embodiment, unless the specification makes clear that ‘the patentee . . . intends for the claims and the embodiments in the specification to be strictly coextensive.’” JVW Enters., Inc. v. Interact Accessories, Inc., 424 F.3d 1324, 1335 (Fed. Cir. 2005) (quoting Phillips v. AWH Corp., 415 F.3d 1303, 1323 (Fed. Cir. 2005) (en banc). I find no evidence in the Specification that Appellants intended for the claims and the embodiments disclosed in the Specification to be coextensive. Claim 15, by its terms, does not require that the “check” be within the custody or control of the “first resource” when the data identifying the first resource is added to the “check” -- i.e., when the “check” is signed. The claim recites some unnamed entity “providing the check to the first resource,” but does not recite that the “first resource” receives the “provided” check. Moreover, even if it did, if the first resource were to receive a “signed check,” the resource would have received a “check,” because a “signed” check is simply a proper subset or species of “check” that has particular data contained within it -- e.g., an alphanumeric string that contains alphanumeric characters identifying the first resource. Nor does claim 15 require that the “providing” and the “signing” steps be in any particular order. Appeal 2009-006433 Application 10/373,990 16 I therefore disagree that, on this record, the user’s IP address being provided by, or on behalf of, the user’s browser (“first resource”) in Villavicencio is not sufficient to describe the step of “the first resource signing the check with data identifying the first resource.” As previously noted, the Specification does not tell us what the gerund “signing” might, at a minimum, require. “Signing,” in the invention of claim 15, might require no more than providing the data that “identif[ies] the first resource.” Claim 15 does not recite “the first resource receiving the check and adding to the check data identifying the first resource,” thus producing a “signed check.” Appellants’ duty is to amend the claim if the claim is to have that scope. “[D]uring patent prosecution when claims can be amended, ambiguities should be recognized, scope and breadth of language explored, and clarification imposed.” In re Zletz, 893 F.2d 319, 321 (Fed. Cir. 1989). I cannot read limitations into the claim based on what I think I might know about “signing” a “check.”3 3 Moreover, a paper check can be pre-printed with a signature, just as an electronic data “check” can be formed with data that identifies the “check” as a “signed check.” An alphanumeric string does not spring forth fully formed, but is generated a character at a time. At least a portion of the “check” is thus generated before the check is “signed.” Appeal 2009-006433 Application 10/373,990 17 pgc HEWLETT-PACKARD COMPANY Intellectual Property Administration 3404 E. Harmony Road Mail Stop 35 FORT COLLINS CO 80528 Copy with citationCopy as parenthetical citation
