Obviousness

Obviousness Analysis of U.S. Patent No. 12,254,103 under 35 U.S.C. § 103

This analysis evaluates whether the independent claims of U.S. Patent No. 12,254,103 would have been obvious to a Person Having Ordinary Skill in the Art (PHOSITA) at the time of the invention, with a priority date of October 18, 2019. An invention is considered obvious if the differences between the claimed invention and the prior art are such that the subject matter as a whole would have been obvious to a PHOSITA. This analysis relies on the prior art references cited by the USPTO examiner and summarized in the "Prior art" section.

A PHOSITA in this technical field would be an engineer or computer scientist with several years of experience in mobile application development, data security, secure element technology, and client-server communication protocols, particularly within the context of identity management or electronic payment systems.

Combination of Prior Art

The independent claims of patent 12,254,103 could be rendered obvious by combining the teachings of US 2015/0040180 A1 (the '180 application) and US 2006/0265508 A1 (the '508 application).

• US 2015/0040180 A1 ('180): Teaches a mobile device with an "information firewall" that associates security policies with different collections of data. It discloses a reader (requester) communicating with the mobile device to access data, and the device enforcing policies on that request.
• US 2006/0265508 A1 ('508): Teaches a system for managing a "multiplicity of namespaces," where each namespace is a distinct data environment with its own access control policies.

Analysis of Independent Claim 1

Claim 1 recites a method comprising:

1. Associating security policies with each of a plurality of supported namespaces on a mobile device.
2. Operating a reader to communicate with the mobile device.
3. The reader selects a namespace to access based on the security policies.

The '180 application teaches elements 1 and 2. It discloses a mobile device that associates policies with data collections (analogous to namespaces) and a reader that communicates with it. However, the '180 application is missing the key final element: the reader selecting a namespace based on the policies. In the '180 system, the reader makes a request, and the mobile device's firewall unilaterally enforces the policy.

The '508 application teaches the management of multiple, distinct namespaces, each with its own access policies. A PHOSITA would recognize that a modern mobile device, particularly for eID purposes, would function like the multi-tenant system of '508, needing to host different identities (e.g., a government ID, a university ID, a corporate badge) in distinct "namespaces."

Motivation to Combine:
A PHOSITA, starting with the mobile firewall concept from the '180 application, would be motivated to improve its efficiency and flexibility in a real-world eID context. The problem with the '180 system is that a reader may not know the mobile device's security policy in advance. The reader might make a request that is destined to fail because it cannot meet the stringent security requirements (e.g., requesting age verification from a national ID namespace that requires certificate verification, which the reader cannot perform). This leads to failed transactions and a poor user experience.

To solve this known problem, a PHOSITA would look for ways to make the interaction more intelligent. Drawing from the '508 concept of managing multiple, distinct namespaces, the PHOSITA would be motivated to modify the '180 system. It would be a logical and predictable step to have the mobile device first advertise its available namespaces and the rules for accessing them. This would allow the reader to discover what data is available and what is required to access it. Consequently, the reader could then intelligently select a namespace whose security policy it can satisfy, ensuring a successful transaction. This combination of advertising multiple data sources ('508) and their access rules ('180) to enable an intelligent choice by the reader would render the invention of claim 1 obvious.

Analysis of Independent Claims 11 and 16

Claims 11 and 16 build upon claim 1 by reciting the specific back-and-forth communication protocol to implement the reader's selection process.

• Claim 11 focuses on the mobile device's role: receiving a list of selected namespaces from a reader and, in response, transmitting the specific security rules for those namespaces.
• Claim 16 details the entire transaction flow: the mobile device sends policies, the reader selects candidate namespaces, the mobile device sends policies for those candidates, the reader determines if it can satisfy any of them, selects one, and demonstrates satisfaction to gain access.

Once the core idea of having the reader select a namespace based on advertised policies is established (from the combination of '180 and '508), designing the specific communication protocol would be a matter of routine engineering for a PHOSITA. The multi-step negotiation process described in claims 11 and 16 is a standard and efficient design pattern for client-server interactions.

Motivation for the Specific Protocol:
A PHOSITA would be motivated to design the communication flow this way for efficiency. Transmitting the full, potentially complex, security policies for all available namespaces at the beginning of every transaction could be slow and data-intensive. A more logical and predictable implementation would be:

1. Discovery: The mobile device first sends a simple list of available namespaces (e.g., fr.gouv.ants.id, fr.edu.univ-pau.labo.profile).
2. Selection of Interest: The reader, based on its own configuration (e.g., a whitelist of trusted issuers), selects the namespaces it is interested in.
3. Request for Details: The reader requests the specific security policies for only the selected namespaces.
4. Final Selection and Access: The mobile device transmits the detailed policies, and the reader makes its final selection and initiates the access request.

This flow, which maps directly onto the steps of claims 11 and 16, is an obvious way to implement the system to conserve bandwidth and reduce latency. It is a predictable solution to the problem of efficiently communicating the necessary information. Therefore, these claims represent an obvious implementation of the core inventive concept derived from the '180 and '508 references.

Conclusion

The independent claims of U.S. Patent No. 12,254,103 would have been obvious to a Person Having Ordinary Skill in the Art. The combination of US 2015/0040180 A1 and US 2006/0265508 A1 teaches all the core elements of the claims. A PHOSITA would have been motivated to combine their teachings to create a more flexible and efficient eID system where the reader could discover and select from multiple identity namespaces based on their advertised security policies, thereby avoiding transactional failures and improving system performance. The specific communication protocols recited in the dependent claims represent a predictable and routine implementation of this core concept.