LEVEL 3 COMMUNICATIONS, LLCDownload PDFPatent Trials and Appeals BoardFeb 12, 202014948268 - (D) (P.T.A.B. Feb. 12, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/948,268 11/21/2015 Brad Bernay Doctor 0463-US-C1 3162 83579 7590 02/12/2020 LEVEL 3 COMMUNICATIONS, LLC Attn: Patent Docketing 1025 Eldorado Blvd. Broomfield, CO 80021 EXAMINER DADA, BEEMNET W ART UNIT PAPER NUMBER 2435 NOTIFICATION DATE DELIVERY MODE 02/12/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): patent.docketing@level3.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte BRAD BERNAY DOCTOR, NATHANIEL DAVID JAMIEL, TAYLOR DAVID FRALEY, and JOHN GRAYSON FABLE Appeal 2018-005664 Application 14/948,268 Technology Center 2400 Before IRVIN E. BRANCH, MICHAEL M. BARRY, and SCOTT RAEVSKY, Administrative Patent Judges. RAEVSKY, Administrative Patent Judge. DECISION ON APPEAL Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–30. We have jurisdiction under 35 U.S.C. § 6(b).2 We affirm in part. 1 We use the word “Appellant” to refer to “Applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as Level 3 Communications, LLC. Appeal Br. 3. 2 We conducted an oral hearing on January 27, 2020. A transcript of the oral hearing is being prepared and will be entered into the record in due course. Appeal 2018-005664 Application 14/948,268 2 CLAIMED SUBJECT MATTER The claims generally relate to role-based user authentication of a user using a security token. See Spec., Abstr, ¶ 2. Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A system, comprising: at least one processor in communication with a memory storing instructions that, when executed by the at least one processor, cause the system to: receive an authentication request comprising authentication information from a user device requesting access for a user to a computing device connected to a communications network; transmit the authentication request to an appropriate authentication server responsive to a type of authentication request; receive an authentication response from the appropriate authentication server; obtain a permission level for the user requesting access to the computing device and attach the permission level to the authentication response; and transmit the authentication response, including the attached permission level, to the user device. REJECTIONS Claims 1–3, 8–13, 18–23, and 28–30 stand rejected under 35 U.S.C. § 103 as unpatentable over Ting (US 2007/0186106 A1, Aug. 9, 2007) and Brown (US 2013/0252583 A1, Sept. 26, 2013). Final Act. 2.3 3 Although the Office Action states that claims 1–30 are rejected over Ting and Brown, the body of the rejection does not reject claims 4–7, 14–17, and 24–27. We treat this as a ministerial error. Appeal 2018-005664 Application 14/948,268 3 Claims 4–7, 14–17, and 24–27 stand rejected under 35 U.S.C. § 103 as unpatentable over Ting, Brown, and Lee (US 2012/0167180 A1, June 28, 2012). Id. at 4. ANALYSIS We review the appealed rejections for error based upon the issues identified by Appellant and in light of the arguments and evidence produced thereon. Ex parte Frye, 94 USPQ2d 1072, 1075 (BPAI 2010) (precedential). Arguments not made are waived. See id. Claims 1–10 Appellant contends that the combination of Ting and Brown fails to teach or suggest the following limitations of claim 1: receive an authentication response from the appropriate authentication server; obtain a permission level for the user requesting access to the computing device and attach the permission level to the authentication response; and transmit the authentication response, including the attached permission level, to the user device. Appeal Br. 8–11; Reply Br. 4–5 (emphasis added to main disputed limitation). Appellant contends that Ting discusses determining an “overall authentication state” that is an “accept/reject response from the global access server.” Appeal Br. 9 (quoting Ting ¶¶ 62–63). Appellant contends that “[a]t best, Ting discloses a binary determination of whether to grant a user access to a requested resource,” not a “permission level for the user” or “attach[ing] the permission level to the authentication response” as claimed. Appeal 2018-005664 Application 14/948,268 4 Id. Appellant distinguishes a permission level from a binary authentication by referring to the Specification’s “nonlimiting example” of “one of the following: No permissions, Execute, Write, Write & Execute, Read, Read & Execute, Read & Execute, Read & Write, and Read, Write & Execute.” Id. at 9–10 (citing Spec. ¶ 50).4 Appellant also contends that Brown merely discloses the generation of a “token by an authentication server, where the token contains location data” and “authentication data indicating a level of access.” Id. at 10 (internal quotations omitted). According to Appellant, “Brown discloses the generation and transmission of the authentication data by the authentication server to a mobile device and does not disclose obtaining a permission level and attaching it to a received authentication response.” Id. Further, Appellant contends that “modifying the authentication server disclosed by Ting to obtain permission levels disclosed by Brown results in a system where the authentication server determines authentication and obtains permission levels before sending a response to a user device.” Reply Br. 4– 5. The Examiner finds that “Ting teaches receiving an authentication response from the appropriate authentication server” and “transmit[ting] the authentication response to the user requesting access to the computing device.” Ans. 3 (citing Ting ¶¶ 39, 62, 63, 65); Final Act. 3 (citing Ting ¶¶ 4 We take no position on Appellant’s proposed construction of “permission level” as its meaning does not materially affect our decision. See Nidec Motor Corp. v. Zhongshan Broad Ocean Motor Co., 868 F.3d 1013, 1017 (Fed. Cir. 2017) (“[W]e need only construe terms that are in controversy, and only to the extent necessary to resolve the controversy.”) (internal quotation and citation omitted). Appeal 2018-005664 Application 14/948,268 5 39, 62, 63). The Examiner further finds that “Brown teaches an authentication system including obtaining a permission level for a user requesting access to a computing device” and “transmit[ting] the authentication response including the attached permission level, to the user device.” Ans. 3–4 (citing Brown ¶¶ 100, 101, 111); Final Act. 3 (citing Brown ¶¶ 100, 101). Combining the references, the Examiner finds, “one of ordinary skill would be able to modify the client/server based authentication of Ting by indicating a level of access to the requesting client and providing a response that includes the level of access (i.e., permission level) as taught by Brown, thereby enhancing the security of the system.” Ans. 4; see also Final Act. 4. We agree with the Examiner. Ting discloses a client’s “logon request and associated credentials” that are received at an “identity server.” Ting ¶ 61. The identity server queries a “PACS (physical access control) system” by “posting a RADIUS (remote authentication dial-in user service) authentication request” to an authentication server called a “global access server, which in turn, queries the PACS.” Id. ¶¶ 61, 39 (“[T]he identity server . . . can interact with other authentication servers such as . . . a RADIUS server.”). The PACS then “executes its internal authentication process . . . and returns a [user’s] ‘state.’” Id. ¶ 61, see also id. ¶ 62. Based on the user’s state, “a decision can be made whether to grant or deny access.” Id. ¶ 62. This “accept/reject response” is sent from the global access server to the client through the identity server. See id. ¶¶ 63, 39, Fig. 1. In addition, Brown discloses an “authentication server [that] generates [a] token,” which “indicat[es] a level of access that the mobile device is permitted to have.” Brown ¶ 100. Brown’s “authentication server transmits Appeal 2018-005664 Application 14/948,268 6 the token to the mobile device.” Id. ¶ 101. One of ordinary skill in the art would have modified Ting’s identity server, which receives an authentication response from the global access server (an authentication server), to attach the “level of access” taught by Brown. Appellant does not point to any evidence of record that the combination would be “uniquely challenging or difficult for one of ordinary skill in the art” or “represent[] an unobvious step over the prior art.” Leapfrog Enters. Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418–19 (2007)). Nor have Appellants provided objective evidence of secondary considerations, which our reviewing court states “operates as a beneficial check on hindsight.” Cheese Sys., Inc. v. Tetra Pak Cheese and Powder Sys., 725 F.3d 1341, 1352 (Fed. Cir. 2013). The Examiner’s findings are reasonable because the skilled artisan would “be able to fit the teachings of multiple patents together like pieces of a puzzle” because the skilled artisan is “a person of ordinary creativity, not an automaton.” KSR, 550 U.S. at 420–21. We are persuaded the claimed subject matter exemplifies the principle that “[t]he combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.” KSR, 550 U.S. at 416. Appellant also contends that the Examiner’s argument for combining Ting and Brown “lacks the necessary articulated reasoning with some rational underpinning to support its legal conclusion of obviousness.” Appeal Br. 11 (citing Final Act. 4). As we noted above, the Examiner clarifies in the Answer that “one of ordinary skill would be able to modify the client/server based authentication of Ting by indicating a level of access Appeal 2018-005664 Application 14/948,268 7 to the requesting client and providing a response that includes the level of access (i.e., permission level) as taught by Brown, thereby enhancing the security of the system.” Ans. 4. Appellant does not persuasively address the merits of the Examiner’s stated rationale. Accordingly, we sustain the Examiner’s rejection of claim 1. Appellant does not argue separate patentability for its dependent claims. See Appeal Br. 11. We therefore also sustain the Examiner’s rejection of claims 2–10 (including claims 4–7 rejected over Ting, Brown, and Lee). See 37 C.F.R. § 41.37(c)(1)(iv). Claims 11–30 Appellant next contends that the combination of Ting and Brown fails to teach or suggest “wherein identifying the permission level includes determining a location of the computing device and determining the permission level based at least on the location of the computing device,” as recited in claim 11. Appeal Br. 13. Specifically, Appellant contends Brown fails to teach or suggest this limitation because, “[a]t best, Brown discloses the generation of a ‘token’ [that] contains location data for a mobile device.” Id. (emphasis added). In contrast to determining a location of a mobile device, Appellant contends, claim 11 recites “determining a location of the computing device.” Id. The Examiner finds that Brown teaches this limitation by disclosing a “level of access dependent on location of the requesting device.” Ans. 6 (citing Brown ¶¶ 100, 101, 111) (emphasis omitted); see also Final Act. 3 (citing Brown ¶¶ 100, 101). Appeal 2018-005664 Application 14/948,268 8 We agree with Appellant. Claim 11 distinguishes the “computing device” for which a location is determined from a “user device” as follows: “receiving . . . an authentication request comprising authentication information from a user device requesting access . . . to a computing device.” (Emphasis added.) Brown discloses an “authentication server” that generates a token “identifying a location for the mobile device.” Brown ¶ 100. This token “indicat[es] a level of access that the mobile device is permitted to have to the service provided by the service server.” Id. In other words, Brown determines the location of a user device (“the mobile device”) attempting to access a computing device (“the service server”), whereas the claim determines the location of the computing device. We note the Examiner has not relied on any of the other cited references to teach this element. Accordingly, we do not sustain the Examiner’s rejection of claim 11 and its corresponding dependent claims (including claims 14–17 rejected over Ting, Brown, and Lee). Similarly, claim 21 recites similar language to the above-quoted limitation of claim 11. Accordingly, we also do not sustain the Examiner’s rejections of claims 21 and its corresponding dependent claims (including claims 24–27 rejected over Ting, Brown, and Lee). Appeal 2018-005664 Application 14/948,268 9 CONCLUSION In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–3, 8–13, 18–23, and 28–30 103 Ting, Brown 1–3, 8–10 11–13, 18–23, 28–30 4–7, 14–17, 24–27 103 Ting, Brown, Lee 4–7 14–17, 24–27 Overall Outcome 1–10 11–30 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED IN PART Copy with citationCopy as parenthetical citation
