Intellectual Ventures Ex. 2012
`Compass v. IV
`IPR2014-00724
`
`
`Compass v. IV
`IPR2014-00724
`
`
`
`IPRflJM-UUSUI
`
`Campuss Bank E‘flubiliiy \- lni’cliccuml Ventures
`
`{k}
`
`
`
`WIGHM (“272ml
`
`Con‘ipuss Bank \
`
`initrilctuml Ventures
`
`1, Frederic T. Chong, Ph.D., declare as follows:
`
`1.
`
`I am a Professor of Computer Science and the Director of Computer
`
`Engineering at the University of California at Santa Barbara. 1 am an expert in the
`
`fields of computer security, computer systems, and computer engineering.
`
`2.
`
`Ihave published over 123 scientific articles on these topics, including
`
`a 2009 report to the president with recommendations from the National Cyber Leap
`
`Year summit on computer security, for which I was a co—chair.
`
`3.
`
`I have received 5 best paper awards for my work and served as an
`
`investigator on over $30 million dollars in sponsored research.
`
`I have supervised
`
`15 doctoral students, 6 master's students and 4 postdoctoral scholars.
`
`4.
`
`I have taught several graduate courses relating to computer security
`
`and have been intimately involved in the design and evaluation of university
`
`curricula which include computer security.
`
`5.
`
`My experience and qualifications are more fully summarized in my
`
`curriculum vitae, a copy of which is provided as Exhibit 2013.
`
`6.
`
`I have been asked by counsel to review relevant materials and render
`
`my expert opinion in connection with technical matters related to the petition for
`
`inter partes review of US. Patent 5,745,574 ("the '574 patent").
`
`I understand that
`
`the parties involved in this IPR proceeding are the Petitioners, Compass Bank,
`
`
`
`li,’l'(£lli:l {iii/.34
`
`Compass Bank in intellectual Ventures
`
`Commerce Bancshares, Inc., and First National Bank of Omaha (collectively,
`
`"Compass Bank"), and the Patent Owner, Intellectual Ventures 11 [LC ("IV").
`
`7.
`
`I am being compensated for my time in connection with developing
`
`and rendering my opinions in this matter at the rate of $400/hour. However, my
`
`compensation is not dependent on the outcome of this proceeding.
`
`I am not an
`
`employee, consultant, or contractor of either party.
`
`8.
`
`I understand that Compass Bank is seeking cancellation of various
`
`claims of the '574 patent based on the argument that such claims lack novelty in
`
`view of the prior art, or that such claims would have been obvious in view of the
`
`teachings of the prior art.
`
`I understand that the specific grounds are as follows:
`
`0 Claims 18-31 as purportedly anticipated under 35 U.S.C. § 102(a) by
`
`Kapidzic;
`
`0 Claims 23-31 as purportedly anticipated under 35 U.S.C. § 102(b) by
`
`PKI Report;
`
`0 Claims 25, 29, and 30 as purportedly obvious under 35 U.S.C. § 103(a)
`
`over PKI Report; and
`
`0 Claims 18-22 as purportedly obvious under 35 U.S.C. § 103(a) over
`
`the combination of PKI Report and RFC 1424.
`
`
`
`IPRZOM»00724
`
`Cmnpass Bank \ Intellectual Ventures;
`
`9.
`
`In order to render my opinions in this matter, I have reviewed the
`
`following materials:
`
`0 The '574 patent (Ex. 1002);
`
`0 The file history for the '574 patent (Ex. 1003);
`
`O The Kapidzic reference (Ex. 1004);
`
`0 The PKI Study reference (Ex. 1005);
`
`0 The RFC 1424 reference (Ex. 1006);
`
`0 The declaration and deposition of Compass Bank's expert, Dr.
`
`Naccache (Ex. 1001, 2014); and
`
`0 Any other materials referenced directly or indirectly in my declaration.
`
`I. RELEVANT FIELD AND DESCRIPTION OF PERSON HAVING
`
`ORDINARY SKILL IN THE ART
`
`10.
`
`The relevant field for the '574 patent includes computer security.
`
`I
`
`consider myself to be an expert in the relevant field.
`
`11.
`
`In my opinion, a person having ordinary skill in the art at the relevant
`
`time period, which I understand to be around the time of the filing date of the ’574
`
`patent, would have had a bachelor's degree in electrical and computer engineering
`
`or computer science, and at least about two years of related job experience, or an
`
`equivalent combination of education and job experience.
`
`
`
`ll’Ritllu-lrtltlflnl
`
`Compass Bank is: intellectual Ventures
`
`12.
`
`Iunderstand what a person having ordinary skill in the art would have
`
`known at
`
`the time of the invention, and all of my opinions are from that
`
`perspective.
`
`[1. CLAIM CONSTRUCTION
`
`13.
`
`I understand that the meanings of the claim terms are to be understood
`
`from the perspective of a person having ordinary skill in the art.
`
`I understand that
`
`claim construction begins with the ordinary and customary meanings of the terms
`
`used in the claims.
`
`I further understand that the meanings of terms used in the
`
`claims should be understood primarily in view of the intrinsic record, including the
`
`specification and file history.
`
`I understand that the terms of the claims are to be
`
`given their broadest reasonable interpretation in view of the applicable evidence.
`
`14.
`
`I understand that the first step in analyzing Compass Bank's grounds
`
`for unpatentability is to determine the meaning of the terms in the involved claims
`
`of the ‘574 patent.
`
`A.
`
`"Process”
`
`15.
`
`The preamble in each of independent claims 18, 23, 28, 30, and 31
`
`recites "processes arranged in a certification infrastructure." In addition, the body
`
`of each of these claims refers to a process or multiple processes.
`
`16.
`
`In my opinion, a person of ordinary skill in the art would understand
`
`the term "process" in each claim to include “computer program instructions
`
`4),
`
`
`
`ll’liitll .3 “Mild
`
`Con‘tpass Bank t. intellectual Ventures
`
`H
`
`running on a computer.
`
`This interpretation is consistent with the specification,
`
`which refers to a "process" in the context of FIG. 1A as follows: ”[e]ach of the
`
`blocks in FIG. 1A is implemented as a computer process running on a computer.“
`
`Ex. 1002 at col. 9:64—65.
`
`B.
`
`"Common certificate remsitory"
`
`17.
`
`Claim 20 refers to "storing the received signed certificate or copy of a
`
`I
`signed certificate at a common certificate repository.’ Claim 27 also refers to a
`
`"common certificate repository."
`
`In my opinion,
`
`the broadest
`
`reasonable
`
`interpretation of "common certificate repository" in light of the specification is "a
`
`repository that stores public key certificates for all certification authorities."
`
`18.
`
`I believe that the specification explicitly requires this interpretation,
`
`stating multiple times that "[a] common certificate repository may contain public
`
`key certificates for all certification authorities in the hierarchy.“ Ex. 1002 at col.
`
`5:51—52; 6:28-30 (emphasis added). The specification also contrasts storing a
`
`certificate "either at said requesting computer process or at a common certificate
`
`repository."
`
`Id. at col. 6:60-61. Accordingly,
`
`the specification repeatedly,
`
`consistently, and exclusively depicts a "common certificate repository" as a
`
`repository that stores certificates for all certification authorities.
`
`19.
`
`In light of the specification as well as the plain meaning of the claim,
`
`it is my opinion that one of ordinary skill in the art would not interpret a common
`
`,7-
`
`
`
`iPRZUhHXWM
`
`Compass Bank v. intellectual Ventures
`
`certificate repository to merely store public key certificates for a single certification
`
`authority. Rather, it is my opinion that "common certificate repository" means a
`
`repository that stores certificates for all certification authorities in the certification
`
`infrastructure.
`
`C.
`
`"Verified by a direct inquiry to the certification authority"
`
`20.
`
`Claim 25 recites that "a public key certificate of a sender may also be
`
`verified by a direct
`
`inquiry to the certification authority which issued that
`
`certificate."
`
`It is my opinion that the "verification by a direct inquiry" limitation
`
`must mean that a direct verification response is received without performing
`
`iterative verification of certificates.
`
`21.
`
`The specification also supports this proper interpretation as follows:
`
`The Vefify~@nificate process can be utilized two ways. First,
`
`it can be utilized to verify all certificates between the entity for
`
`which a certificate is being verified to the common point of trust
`
`with the verifier. This will also be based on usage of CRL's to ensure
`
`that
`
`the certificate certified and all other certificates used in the
`
`process are still valid. The second option utilizes direct verification
`
`by sending a Verify__Certificate message to a common repository
`
`which is known to be trusted and the common repository responds
`
`with a currently valid certificate of the entity being validated.
`
`In
`
`this mode, no CRL's are needed. Ex. 1002 at col. 13:42-52 (emphasis
`
`added).
`
`
`
`ii_’i<.3iiii {iii/24
`
`Compass Bank \, lntcilccmal \r‘cnturcs
`
`22.
`
`As can be seen from this passage,
`
`the second, direct verification
`
`option includes receiving a direct response, which the specification contrasts with
`
`verifying certificates between an entity and the common point of trust, which
`
`represents iterative verification.
`
`23. Accordingly, in my opinion, the broadest reasonable interpretation in
`
`light of the specification of "verified by a direct
`
`inquiry to the certification
`
`authority" must be interpreted to mean "directly verified without performing
`
`iterative verification of certificates."
`
`D.
`
`Remaining Claim Terms
`
`24.
`
`I do not find it necessary to construe the remaining terms of the
`
`involved claims of the '574 patent in order to resolve the issues contested in this
`
`IPR. However, I understand that each of the preambles of the claims is limiting.
`
`For example, I understand that at least the preambles for claims 23, 30, and 31 are
`
`limiting because the bodies of these claims rely on the preambles for antecedent
`
`basis.
`
`III. ANALYSIS OF COMPASS BANK'S PROPOSED GROUNQS F! R
`
`W
`
`25.
`
`I understand that a claim of an issued patent can be found to be invalid
`
`if the claim was anticipated (lack of novelty) by the prior art, or if the claim would
`
`have been obvious in View of the prior art.
`
`I understand that this determination is
`
`~9~
`
`
`
`l PRZOl 43: {10734
`
`Compass Bank v. intellectual Ventures
`
`made from the perspective of a person having ordinary skill
`
`in the art who is
`
`presumed to be aware of all prior art.
`
`26.
`
`I understand that a reference anticipates a claim only if it identically
`
`discloses each and every claim limitation expressly or inherently.
`
`Thus,
`
`I
`
`understand that a reference does not anticipate a claim if even a single imitation is
`
`missing from the reference.
`
`27.
`
`I further understand that
`
`the determination of obviousness involves
`
`consideration of the scope and content of the prior art, the differences between the
`
`prior art and the claims, and the level of ordinary skill in the art.
`
`I also understand
`
`that secondary factors of non—obviousness can be considered, such as commercial
`
`success, long—felt but unsolved needs, failure of others, industry praise, etc.
`
`28.
`
`I have been asked to give my opinions as to whether claims 18-31 of
`
`the '574 patent
`
`lack novelty or would have been obvious to a person having
`
`ordinary skill in the art in accordance with the grounds set forth by Compass Bank
`
`in its petition.
`
`29.
`
`Claims 18, 23, 28, 30, and 31 of the '574 patent are the independent
`
`claims. The remaining claims 19-22, 24—27, and 29 are all dependent upon their
`
`respective independent claims.
`
`I understand that a reference, or group of
`
`references, cannot be found to anticipate, or render obvious, a dependent claim if
`
`
`
`{PRlillz-llltl724
`
`Compass Bank \1 ln'tcllccuml Ventures
`
`the reference, or group of references, does not anticipate, or render obvious,
`
`the
`
`corresponding independent claim. Since I have concluded that the cited prior art
`
`does not invalidate claims 18, 23, 28, 30, and 31 of the '574 patent, I believe that
`
`the respective dependent claims are also valid. While I believe that all
`
`the
`
`dependent claims are valid, I also discuss herein specific examples of how some of
`
`the dependent claims are valid.
`
`A.
`
`Claims 18-31 of the '574 patent are Not Anticipated by Kapidzic
`
`30.
`
`I understand that Compass Bank asserts that claims 18-31 of the '574
`
`patent should be canceled as being anticipated by the Kapidzic reference.
`
`I have
`
`been informed, however, that it is the position of the inventor of the '574 patent,
`
`Sead Muftic, that Kapidzic is not prior art to the '574 patent because the concepts
`
`in the Kapidzic article were derived from him.
`
`I have been informed that Dr.
`
`Muftic is filing a declaration explaining that the authors of the Kapidzic article,
`
`Nada Kapidzic and Alan Davidson, were Dr. Muftic's graduate students, and that
`
`they prepared the Kapidzic article under Dr. Muftic‘s direction and supervision.
`
`I
`
`understand that Dr. Muftic deliberately did not appear as an author on the Kapidzic
`
`article in order to further his student's careers. Therefore,
`
`I understand that
`
`Kapidzic cannot have anticipated these claims.
`
`31.
`
`I have reviewed Dr. Muftic's declaration and I believe that Dr.
`
`Muftic's account of the history of the Kapidzic article is credible. Similar events
`
`«ll-
`
`
`
`ll’RQilial {1(1)le
`
`Compass Bunk \. hitcllctgtnai Ventures
`
`are commonplace in the academic community. For similar reasons, 1 have declined
`
`to be an author on some publications with my own graduate students and
`
`postdoctoral scholars.
`
`32.
`
`Regardless, even if Kapidzic is determined to be prior art,
`
`it is my
`
`opinion that Kapidzic does not anticipate claims 18-31.
`
`1.
`
`Independent Claim B
`
`33.
`
`In my opinion, Kapidzic fails to teach all the features of claim 18,
`
`including "at a computer process authorized as an issuing certification authority,
`
`verifying the authenticity of [a certificate signature] request, and if authentic,
`
`certifying and returning the data structure in a certificate signature reply."
`
`34.
`
`Kapidzic does not state anywhere that
`
`the certification authorities
`
`(CAs) or other components of the CMS are processes that perform these features.
`
`In fact, I believe that one of ordinary skill in the art would understand Kapidzic's
`
`system to require certification to include manual intervention as opposed to the
`
`process—based certification recited in claim 18.
`
`35.
`
`Kapidzic explains
`
`that
`
`"[t]he process of certifying a new CA
`
`[certification authority] involves communication between it and its parent." Ex.
`
`1004 § 3.2 ‘11 1. Based on the context of the preceding sentence, I believe that
`
`Kapidzic uses the term "process" to mean "method" or "technique."
`
`
`
`IPRZU l 4«~(){l7 24
`
`Compass Bank v. Intellectual Ventures
`
`36.
`
`Kapidzic further explains that "[tlhis communication consists of two
`
`messages: Cefiificate Signature Request and Certificate Signature Reply," which
`
`"are in the form of e-mail letters." Ex. 1004 § 3.2 ‘l[ 1; n.2 (emphasis added). One
`
`of ordinary skill in the art would understand that these email messages require a
`
`human to manually inspect
`
`them and not
`
`that a process could automatically
`
`perform certification from the emails.
`
`Indeed, certification in Kapidzie “normally
`
`require[s] manual intervention." Ex. 1004 § 3.2 (ll 3.
`
`37.
`
`Kapidzic teaches that "[c]ertification starts with the CA's generation of
`
`a pair of public and private RSA keys. A self—signed certificate is created from the
`
`public key and the CA's DN [distinguished name], and sent to the parent CA in a
`
`Cemficate Signature Request." Ex. 1004 § 3.2% 2. This request is in the form of
`
`an e-mail letter.
`
`Id. at n.2. Once the parent CA receives the request, it "verifies the
`
`identity of the requester" and "verifies the integrity of the request, and the signature
`
`of the self—signed certificate contained in the request." Id. ‘ll 3.
`
`38.
`
`In Kapidzic, verifying the identity of the requester "will normally
`
`require manual intervention and .
`
`.
`
`. is defined to be an off-line process." Id. "If all
`
`the checks verify successfully," including this manual check, the "parent CA signs
`
`the certificate“ then "creates a Cem'ficate Signature Reply that contains the signed
`
`
`
`ll’RlllHiltt'fli
`
`Compass Bunk \. intellectual Ventures
`
`certificate .
`
`.
`
`. and sends it back to the requester." Id. This reply must also be in
`
`the form of an e—mail letter. See id. at n.2.
`
`39.
`
`Even if the user were to manually invoke a computer program to
`
`verify the signature of the certificate contained in the email, I believe that such a
`
`step would still require the user to manually select the certificate and manually run
`
`the program that verifies the signature. The user would then need to send the
`
`certificate to the requester via email, as the Certificate Signature Reply message
`
`"[is] in the form of [an] e-mail letter[]." Id. n. 2.
`
`40.
`
`The manual certification techniques described in Kapidzic contrasts
`
`with the process-based certificate signature request and certificate signature reply
`
`claimed in claim 18, namely, "at a computer process authorized as an issuing
`
`certification authority, verifying the authenticity of [a certificate signature] request,
`
`and if authentic, certifying and returning the data structure in a certificate signature
`
`reply."
`
`41.
`
`The system of Kapidzic therefore shares the failings of prior systems
`
`that relied on manual processing of certificates, which the ‘574 patent sought to
`
`address. See Ex. 1002 at col. 4:20—26.
`
`~l4
`
`
`
`lPRZtll4~tltl734
`
`Compass Bank v. intellectual Ventures
`
`42.
`
`In contrast,
`
`the claimed features implement processes that make an
`
`actual certification infrastructure implementation feasible and scalable. See Ex.
`
`1002 at col. 4:55-5:14.
`
`43. Accordingly, it is my opinion that Kapidzic does not anticipate claim
`
`18, expressly or inherently.
`
`2.
`
`Delgndent Gaim 19
`
`44.
`
`[understand that because claim 19 depends on claim 18 that claim 19
`
`is patentable at least for the same reasons as claim 18.
`
`3.
`
`Dependent (laim 20
`
`45.
`
`Claim 20 recites "storing the received signed certificate or copy of a
`
`signed certificate at a common certificate repository."
`
`46.
`
`As described above, I believe that "common certificate repository" in
`
`claim 20 should be interpreted to mean "a repository that stores public key
`
`certificates for all certification authorities."
`
`47.
`
`Kapidzic states that "[e]ach CA keeps local copies of all
`
`the
`
`certificates in its certificate verification path, as well as the certificates of all its
`
`immediate subordinates, i.e. those it has issued." Ex. 1004 § 2.1 ‘I[ 9 (emphasis
`
`added).
`
`48.
`
`Each CA keeping local copies is the opposite of having a common
`
`repository the store certificates for all certification authorities.
`
`~15
`
`
`
`{PRZO 1 +007 24
`
`Compass Bank \r. intellectual Ventures
`
`49.
`
`It is therefore my opinion that Kapidzic fails to anticipate claim 20,
`
`expressly or inherently.
`
`4.
`
`Dependent Claim 21
`
`50.
`
`Iunderstand that because claim 21 depends on claim 18 that claim 21
`
`is patentable at least for the same reasons as claim 18.
`
`5.
`
`Dep_e ndent Gaim 22
`
`51.
`
`Claim 22 recites that
`
`the method of claim 18 is "performed upon
`
`expiration of an existing certificate, where the new certificate may contain either
`
`the existing or a new public key. "
`
`52.
`
`Kapidzic states that "At any time following a CA's initial registration
`
`it is possible for that CA to change its public and secret key pair.
`
`It can happen
`
`either when a current pair of keys expires after the end of their period of validity,
`
`or if the CA's secret key is suspected to be compromised.
`
`In both cases the CA's
`
`keys must be changed.
`
`.
`
`.
`
`. When a new key pair is generated by some CA, the
`
`same procedure is followed as in the original certification. A Certificate Signature
`
`Request
`
`is created and sent
`
`to the parent CA, which signs it and returns a
`
`Certificate Signature Reply (see section 3.2)." Ex. 1004 § 5 M 1, 4 (emphasis
`
`added).
`
`53.
`
`In my opinion, Kapidzic does not teach performing certification upon
`
`the expiration of a certificate, but rather performing a Certificate Signature Request
`
`~16
`
`
`
`lPRle l 4~n()()724l
`
`Cm‘npuss Bank v. intellectual Ventures
`
`and Certificate Signature Reply "when a current pair of keys expires." Ex. 1004 §
`
`5 M 1, 4 (emphasis added).
`
`54.
`
`There is a difference between the expiration of keys in the expiration
`
`of the certificate. A pair of keys is not a certificate.
`
`55. Kapidzic's teaching of performing certification upon the expiration of
`
`keys rather than the expiration of a certificate does not explicitly teach the features
`
`of claim 22, nor does it inherently teach these features.
`
`56. Accordingly, it is my opinion that Kapidzic fails to anticipate claim 22,
`
`expressly or inherently.
`
`6.
`
`Independent Claim 23
`
`57.
`
`In my opinion, Kapidzic does not refer to a "sender" as recited in
`
`claim 23. Instead, Kapidzic states the following: "The situation can arise when one
`
`user may have the certificate of a second user but not
`
`the full certificate
`
`verification path to verify it, and [the] address of the second user is not known.
`
`The process of retrieving the verification path involves communication between
`
`the verifier and the UCA that issued the certificate, via the PCA .
`
`.
`
`.
`
`. This requires
`
`two additional CMS messages: Resolve Certificate Request
`
`and Perform
`
`Certificate Request." Ex. 1004, § 4.2 (emphasis added).
`
`
`
`IPRBt} l 44 M7 '24
`
`(,‘t‘lmpass Bank v. intellectual Ventures
`
`58.
`
`In the situation described above, Kapidzic explains that a user "may
`
`have the certificate of a second user" but that the "address of the second user is not
`
`known."
`
`59.
`
`It
`
`is not clear from this passage how the first user obtained a
`
`certificate of the second user, but if the address of the second user is not known, it
`
`is not clear how either of these users is a sender. Typically, an email message
`
`includes the address of the sender and the receiver, such that it is easy to verify the
`
`address of either. Thus, Kapidzic has not provided any explanation of how such a
`
`user is a sender.
`
`60. Accordingly, in my opinion, Kapidzic does not expressly or inherently
`
`teaches the limitations of claim 23 related to obtaining any certificate "between the
`
`sender and a common point of trust."
`
`61. Kapidzic also does not state anywhere that the certification authorities
`
`(CAs) or other components of the CMS from which certificates are obtained are
`
`processes. As described above, one of ordinary skill in the art would understand
`
`Kapidzic‘s system to require manual intervention due to the processing of email
`
`letters.
`
`62.
`
`Thus, in my opinion, Kapidzic does not disclose "obtaining a public
`
`key certificate for every computer process .
`
`.
`
`." because Kapidzic does not
`
`disclose computer processes.
`
`
`
`lPRBt )14~t)1)724
`
`Compass. Bank v. Intellectual Ventures
`
`63.
`
`Accordingly,
`
`in my opinion, Kapidzic does not explicitly or
`
`inherently anticipate claim 23.
`
`7.
`
`Dep_e ndent (Jaim 24
`
`64.
`
`I understand that because claim 24 depends on claim 18 that claim 24
`
`is patentable at least for the same reasons as claim 18.
`
`8.
`
`Dependent (Jaim 25
`
`65.
`
`Claim 25 recites "The method of verifying of claim 23 in which a
`
`public key certificate of a sender may also be verified by a direct inquiry to the
`
`certification authority which issued that certificate."
`
`66.
`
`As described above, it is my opinion that the verification by a direct
`
`inquiry in claim 25 means that a direct verification response is received without
`
`requiring iterative verification of certificates.
`
`67.
`
`In contrast, Kapidzic does not teach querying a certification authority
`
`to directly verify the user certificate but rather merely obtaining the certification
`
`authority‘s certificate and performing repeated verification of certificates. Ex. 1004,
`
`§ 4.1, ‘1[‘][ 1-5; § 3.2, ‘114.
`
`68.
`
`For example, Kapidzic states: "The process of retrieving a user's
`
`certificate involves communication between a certificate requester and the UCA
`
`which issued that certificate .
`
`.
`
`.
`
`. The case when the certificate is requested from
`
`the UCA is shown in Figure 3. The CMS UA sends a Certificate Request .
`
`.
`
`.
`
`.
`
`~19
`
`
`
`lPRZl) 1 44M)? 24
`
`(Ionipass Bank v. Intellectual Ventures
`
`The UCA, upon receiving the Certificate Request, indexes the local database for
`
`the requested certificate, which it returns to the requester in a Certificate Reply. .
`
`.
`
`.
`
`It contains the requested certificate as well as all the certificates in the certificate
`
`verification path, up to the top of the hierarchy. The verification procedure is the
`
`same as for the Certificate Signature Reply. This is the preferred method for
`
`retrieving certificates since the UCA is assumed to be able to reply to requests of
`
`this kind immediately." Ex. 1004, § 4.1,‘][‘}[ 1—5 (emphasis added).
`
`69.
`
`Kapidzic
`
`further describes
`
`the verification procedure for
`
`the
`
`Certificate Signature Reply referenced in the above passage, which is described in
`
`detail as follows: "The CA that originated the request receives the Certificate
`
`Signature Reply.
`
`It verifies the signatures of the certificates from the message,
`
`starting from the PCA's certificate, which is read from the configuration file, down
`
`to its own certificate. If successful it stores them in the local database. When this
`
`step is completed the CA is ready to certify CAs below it in the certification
`
`hierarchy, following the same steps as described above. This process is repeated
`
`for all CAs down to the lowest level CAs,
`
`i.e. UCAs." Ex. 1004, § 3.2, (H 4
`
`(emphasis added).
`
`70.
`
`Thus, in my View, Kapidzic does not teach querying a certification
`
`authority to directly verify the user certificate but rather merely obtaining the
`
`~ 20
`
`
`
`.ll’l{2()14«tlil724
`
`Compass Bank v. intellectual \z’enturcs
`
`certification authorities certificate and performing some form of
`
`repeated
`
`verification of certificates.
`
`71.
`
`Accordingly, it is my opinion that Kapidzic does not explicitly or
`
`inherently anticipate claim 25.
`
`9.
`
`Dependent Claim 26
`
`72.
`
`Claim 26 recites that "a public key certificate for every computer
`
`process in the infrastructure between the sender and a common point of trust may
`
`be obtained from respective individual computer processes."
`
`73. Kapidzic teaches the following: "The process of retrieving a user's
`
`certificate involves communication between a certificate requester and the UCA
`
`which issued that certificate, or else by communication directly between the
`
`certificate requester and the certificate owner.
`
`.
`
`.
`
`. Nevertheless,
`
`there is an
`
`alternative solution for fetching certificates. The requester can send the certificate
`
`request directly to the owner, and ask him/her for his/her current certificate, as
`
`shown in Figure 4.
`
`.
`
`.
`
`. This solution is always possible, but an immediate reply
`
`cannot be expected since it depends on the availability of the owner." Ex. 1004, §
`
`4.1, ‘H 1, 7.
`
`74.
`
`These passages describe alternative approaches of
`
`retrieving a
`
`certificate from either the UCA or the certificate owner.
`
`These alternative
`
`
`
`IPRL’U 1 +00"? 24
`
`Compass Bank v. intellectual Ventures
`
`approaches do not teach obtaining a certificate from every computer process in the
`
`infrastructure between the sender and the common point of trust.
`
`75.
`
`Kapidzic does not describe querying every computer process-or even
`
`my computer process—but rather merely contacting a single UCA or a single owner.
`
`76.
`
`Claim 26 requires a certificate to be obtained from multiple computer
`
`processes, including at least a process associated with the sender and a process
`
`associated with the common point of trust, as well as any processes in between.
`
`Moreover, Kapidzic's certificate owner is a user and not a process.
`
`77. Accordingly,
`
`it
`
`is my opinion that Kapidzic fails to explicitly or
`
`inherently anticipate claim 26.
`
`10. Demndent Claim 27
`
`78.
`
`Claim 27 recites that "a public key certificate for every computer
`
`process in the infrastructure may also be obtained from a common repository."
`
`79.
`
`As described above, I believe that "common certificate repository“
`
`should be interpreted to mean "a repository that stores public key certificates for all
`
`certification authorities. "
`
`80.
`
`'Kapidzic states that "[e]ach CA keeps local copies of all
`
`the
`
`certificates in its certificate verification path, as well as the certificates of all its
`
`
`
`lPRBt)l-l~tit)734
`
`Compass Bank v. intellectual Ventures
`
`immediate subordinates, i.e. those it has issued." Ex. 1004 § 2.1 ‘l[ 9 (emphasis
`
`added).
`
`81.
`
`Each CA keeping local copies is the opposite of having a common
`
`repository that stores certificates for every computer process in the infrastructure.
`
`82. Accordingly,
`
`it
`
`is my opinion that Kapidzic fails to expressly or
`
`inherently anticipate claim 27.
`
`1].
`
`Independent Oaim 28
`
`83. Kapidzic does not teach "using the certificate revocation lists of each
`
`computer process between a computer process or user . . . and a point of trust .
`
`.
`
`. to ensure the certificates .
`
`.
`
`. do not appear on any certificate revocation list," as
`
`recited by claim 18 (emphasis added).
`
`84.
`
`Instead, Kapidzic states that "For every certificate being verified,
`
`the verifier must check the certificate against the current CRL of the same
`
`issuer. If the CRL is not available locally it must be retrieved from the PCA. All
`
`the locally available CRLs must be updated, i.e. retrieved, once they have expired.
`
`Retrieval is initiated by sending a CRL Request to the PCA (see Figure 8). .
`
`.
`
`. The
`
`PCA, upon receiving the CRL Request, indexes the needed CRLs in its database,
`
`creates a CRL Reply and sends it to the requester. The message contains all the
`
`to an
`
`
`
`lPth)H—t)t)724
`
`Compass: Bank v. intellectual Ventures
`
`requested CRLs, and all the certificates needed for their successful verification."
`
`Ex. 1004, § 6.2, ‘H 1-2 (emphasis added).
`
`85.
`
`In my opinion, merely checking a CRL for every certificate, even if
`
`multiple CRLs are checked, does not teach "using the certificate revocation lists of
`
`e_a_ch_ computer process between a computer process or user . . . and a point of
`
`trust .
`
`.
`
`. to ensure the certificates .
`
`.
`
`. do not appear on any certificate revocation
`
`list," as recited by claim 18.
`
`86. Kapidzic also does not state anywhere that the certification authorities
`
`(CAs) or other components of the CMS are processes, nor does the Petition or
`
`Compass Bank's expert allege that Kapidzic inherently discloses such processes.
`
`87.
`
`Thus, in my opinion, Kapidzic does not disclose "using the certificate
`
`revocation lists of each computer process between a computer process or user
`
`whose certificate is being validated and a point of trust
`
`in common with the
`
`computer process or user which is validating the certificate to ensure the
`
`certificates being used in the validation process do not appear on any certificate
`
`revocation list" because Kapidzic does not disclose computer processes.
`
`88. Accordingly, in my opinion, Kapidzic does not anticipate claim 28,
`
`expressly or inherently.
`
`
`
`”)th ) l +0U724
`
`Compass Bank v. intellectual Ventures
`
`12. mpendent Gaim 29
`
`89.
`
`I understand that because claim 29 depends on claim 18 that claim 29
`
`is patentable at least for the same reasons as claim 18.
`
`13.
`
`Independent (laim 30
`
`90.
`
`In my view, Kapidzic fails to teach several features of claim 30.
`
`91.
`
`For instance, Kapidzic fails to anticipate teaches step a.2., "revoking
`
`the current certificate previously used for verification of certificates of subordinate
`
`computer processes." (Emphasis added.)
`
`92.
`
`Instead, Kapidzic teaches that "These are not mutually exclusive
`
`groups, since functions from one group can directly trigger those of another, e.g.
`
`when a certificate is updated, the old certificate must be revoked. (Ex. 1004, § 2.2,
`
`‘11 2) .
`
`.
`
`.
`
`. [I]t is possible for that CA to change its public and secret key pair.
`
`It can
`
`happen either when a current pair of keys expires
`
`or if the CA's secret key is
`
`suspected to be comprised.
`
`In both cases the CA‘s keys must be changed.
`
`Changing the keys of one CA affects the certification hierarchy, since all
`
`certificates of direct subordinates have been signed with the old secret key. (Id., § 5,
`
`(M 1-2) .
`
`.
`
`.
`
`. Situations can arise that require the revocation of a valid certificate,
`
`e.g. if the corresponding secret key is suspected to have been compromised.
`
`.
`
`.
`
`.
`
`(Id, § 6,'][ 1)."
`
`
`
`li’RZt) 1 4410724
`
`Compass Bank v. intellectual Ventures
`
`93.
`
`In my opinion, none of these passages, collectively or alone, teach
`
`"revoking the current certificate previously used for verification of certificates of
`
`subordinate computer processes." Instead, these passages teach that 1) a CA can
`
`change its keys, 2) changing those keys can affect subordinates, 3) "a valid
`
`certificate" can be revoked if the corresponding secret key is suspected to have
`
`been compromised, and 4) the old certificate must be revoked when a certificate is
`
`updated.
`
`94. None of these teachings actually describe revoking the certificate
`
`previously used for verification of certificates of subordinate computer
`
`processes of the CA who
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
