IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`Larson et al.
`In re Patent of:
`U.S. Patent No.: 7,418,504
`Issue Date:
`August 26, 2008
`Appl. Serial No.: 10/714,849
`Filing Date:
`November 18, 2003
`Title:
`AGILE NETWORK PROTOCOL FOR SECURE COMMUNICATIONS
`
`USING SECURE DOMAIN NAMES
`
` Attorney Docket No.: 38868-0005IP1
`
`
`
`DECLARATION OF DR. ROCH GUERIN
`
`1.
`
`My name is Dr. Roch Guerin. I am the chair of the Computer Science &
`
`Engineering department at Washington University in St. Louis. I have been asked to offer
`
`technical opinions relating to U.S. Patent No. 7,418,504, and prior art references relating to its
`
`subject matter. My current curriculum vitae is attached and some highlights follow.
`
`2.
`
`I earned my diplôme d'ingénieur (1983) from École nationale supérieure des
`
`télécommunications, in Paris, France. Thereafter, I earned my M.S. (1984) and PhD (1986) in
`
`electrical engineering from The California Institute of Technology in Pasadena, California.
`
`3.
`
`Prior to becoming a professor in engineering, I held various positions at the IBM
`
`T.J. Watson Research Center. Specifically, from 1986 to 1990, I was a research staff member
`
`within the Communication Department, where I worked to design and evaluate high-speed
`
`switches and networks. From 1990 to 1991, I was a research staff member within the IBM High
`
`Performance Computing and Communications Department, where I worked to develop and
`
`deploy an integrated broadband network. From 1992 to 1997, I was the manager of Broadband
`
`Networking within IBM’s Security and Networking Systems Department, where I led a group of
`
`researchers in the area of design, architecture, and analysis of broadband networks. One of the
`
`projects on which I worked, for example, led to U.S. Patent No. 5,673,318, which regards “[a]
`
`Page 1 of 25 
`
`MICROSOFT 1021
`
`Petitioner Apple Inc. - Exhibit 1021, p. 1
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`method and system for providing data authentication, within a data communication environment,
`
`in a manner which is simple, fast, and provably secure,” and of which I am a named inventor.
`
`See U.S. Patent No. 5,673,318, abstract. From 1997 to 1998, I was the manager of Network
`
`Control and Services within IBM’s Security and Networking Systems Department, where I led a
`
`department responsible for networking and distributed applications, including topics such as
`
`advance reservations, policy support, including for Resource Reservation Protocol (RSVP),
`
`quality of service (QoS) routing, and security, and integrated switch and scheduling designs.
`
`4.
`
`I have been a professor of engineering for the past fifteen years. As such, but
`
`prior to becoming the chair of the Computer Science & Engineering department at Washington
`
`University in St. Louis, I was the Alfred Fitler Moore Professor of Telecommunications
`
`Networks (an honorary chair) in the Department of Electrical and Systems Engineering at the
`
`University of Pennsylvania. As a professor of engineering, I have taught many courses in
`
`networking, including Advanced Networking Protocols (TCOM 502), which addressed, among
`
`other things, virtual private networks.
`
`5.
`
`I have authored over fifty journal publications, including “On the Feasibility and
`
`Efficacy of Protection Routing in IP Networks,” which was honored as the IEEE INFOCOM
`
`2010 Best Paper Award. I have been named a Fellow by both the IEEE and ACM, and, from
`
`2009 to 2012, I was the Editor-in-Chief of the IEEE/ACM Transactions on Networking.
`
`Furthermore, I am a named inventor on over thirty issued U.S. patents.
`
`6.
`
`I am familiar with the content of U.S. Patent No. 7,418,504 (the “‘504 patent”).
`
`In addition, I have considered the various documents referenced in my declaration as well as
`
`additional background materials. I have also reviewed certain sections of the prosecution history
`
`of the ‘504 patent, the prosecution history of reexamination control numbers 95/001,788 and
`
`Page 2 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 2
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`95/001,851; and the claim construction orders from VirnetX Inc. v. Microsoft Corp., Docket No.
`
`6:07CV80 (E.D. Tex.) and VirnetX Inc. v. Cisco Systems, Inc. et al., Docket No. 6:10cv417 (E.D.
`
`Tex.).
`
`7. Counsel has informed me that I should consider these materials through the lens of one of
`
`ordinary skill in the art related to the ‘504 patent at the time of the invention, and I have
`
`done so during my review of these materials. I believe one of ordinary skill as of
`
`February 15, 2000 (the priority date of the ‘504 patent) would have a Master’s degree in
`
`computer science or computer engineering, or in a related field such as electrical
`
`engineering, as well as about two years of experience in computer networking and in
`
`some aspect of security with respect to computer networks. I base this on my own
`
`personal experience, including my knowledge of colleagues and others at the time.
`
`8.
`
`I have no financial interest in either party or in the outcome of this proceeding. I
`
`am being compensated for my work as an expert on an hourly basis. My compensation is not
`
`dependent on the outcome of these proceedings or the content of my opinions.
`
`9.
`
`My opinions, as explained below, are based on my education, experience, and
`
`background in the fields discussed above.
`
`10.
`
`This declaration is organized as follows:
`
`I.
`
`II.
`
`III.
`
`IV.
`
`V.
`
`Brief Overview of the ‘504 Patent
`
`Terminology
`
`Kiuchi and Combinations Involving Kiuchi
`
`Publication and Authenticity of Requests for Comment (RFCs)
`
`Conclusion
`
`Page 3 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 3
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`I.
`
`11.
`
`Brief Overview of the ‘504 Patent
`
`A section of the ‘504 patent’s specification titled “B. Use of a DNS Proxy to
`
`Transparently Create Virtual Private Networks” describes “the automatic creation of a virtual
`
`private network (VPN) in response to a domain-name server look-up function.,” with reference
`
`to FIG. 26. Ex. 1001, 39:4-6. Referring to FIG. 26 below, a “user's computer 2601 includes a
`
`conventional client (e.g., a web browser) 2605 and an IP protocol stack 2606 that preferably
`
`operates in accordance with an IP hopping function 2607 as outlined above.” Ex. 1001, 39:63-
`
`67. “A modified DNS server 2602 includes a conventional DNS server function 2609 and a
`
`DNS proxy 2610.” Ex. 1001, 39:67 to 40:2. “A gatekeeper server 2603 is interposed between
`
`the modified DNS server and a secure target site [2604].” Ex. 1001, 40:2-4. “An ‘unsecure’
`
`target site 2611 is also accessible via conventional IP protocols.” Ex. 1001, 40:4-5.
`
`Page 4 of 25 
`
`
`
`Petitioner Apple Inc. - Exhibit 1021, p. 4
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`12.
`
`As described by the ‘504 patent:
`
`DNS proxy 2610 intercepts all DNS lookup functions from client 2605
`
`and determines whether access to a secure site has been requested. If access to a
`
`secure site has been requested (as determined, for example, by a domain name
`
`extension, or by reference to an internal table of such sites), DNS proxy 2610
`
`determines whether the user has sufficient security privileges to access the site. If
`
`so, DNS proxy 2610 transmits a message to gatekeeper 2603 requesting that a
`
`virtual private network be created between user computer 2601 and secure target
`
`site 2604. In one embodiment, gatekeeper 2603 creates “hopblocks” to be used by
`
`computer 2601 and secure target site 2604 for secure communication. Then,
`
`gatekeeper 2603 communicates these to user computer 2601. Thereafter, DNS
`
`proxy 2610 returns to user computer 2601 the resolved address passed to it by the
`
`gatekeeper (this address could be different from the actual target computer) 2604,
`
`preferably using a secure administrative VPN. The address that is returned need
`
`not be the actual address of the destination computer.
`
`Had the user requested lookup of a non-secure web site such as site 2611,
`
`DNS proxy would merely pass through to conventional DNS server 2609 the
`
`look-up request, which would be handled in a conventional manner, returning the
`
`IP address of non-secure web site 2611. If the user had requested lookup of a
`
`secure web site but lacked credentials to create such a connection, DNS proxy
`
`2610 would return a “host unknown” error to the user. In this manner, different
`
`users requesting access to the same DNS name could be provided with different
`
`look-up results.
`
`Page 5 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 5
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`Ex. 1001, 40:6-34
`
`II.
`
`13.
`
`Terminology
`
`I have been informed that claim terminology must be given the broadest
`
`reasonable interpretation during an IPR proceeding. I have been informed that this means the
`
`claims should be interpreted as broadly as their terms reasonably allow, but that such
`
`interpretation should not be inconsistent with the patent’s specification and with usage of the
`
`terms by one of ordinary skill in the art when considering the broadest reasonable construction. I
`
`have been informed that this may yield interpretations that are broader than the interpretation
`
`applied during a District Court proceeding, such as the pending VirnetX Inc. v. Microsoft Corp.
`
`litigation.
`
`14.
`
`I have been informed that it would be useful to provide some guidance in this
`
`proceeding with respect to the term below and its corresponding construction. As part of that, I
`
`considered this term’s context within the claim, use within the specification, and my
`
`understanding of how one of ordinary skill in the art would understand the term around the time
`
`of the purported invention under the broadest reasonable construction standard.
`
`15.
`
`I have considered whether a broadest reasonable interpretation of “system” would
`
`be broad enough to cover “one or more discrete computers or devices.” I believe that it would,
`
`since such an interpretation is not inconsistent with the ‘504 patent’s specification and the
`
`understanding one of ordinary skill in the art would ascribe to this term when looking for the
`broadest reasonable construction. For example, at col. 4, lines 35-48, the ‘504 patent describes a
`
`system that includes a modified DNS server 2602 and a separate gatekeeper server 2603, and
`
`specifically states that “although element 2602 [(the modified DNS server)] is shown as
`
`combining the functions of two servers [(the DNS proxy 2610 and DNS server 2609)], the two
`
`servers can be made to operate independently.” Ex. 1001 at col. 40, lines 46-48.
`
`Page 6 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 6
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`III. Kiuchi and Combinations Involving Kiuchi
`
`A.
`
`Kiuchi
`
`16.
`
`Kiuchi describes a system and a protocol called “C-HTTP” that “provides secure
`
`HTTP communication mechanisms within a closed group of institutions on the Internet, where
`
`each member is protected by its own firewall.” Ex. 1018 at p. 64, abstract. The system in Kiuchi
`
`allows a user agent computer in one private network to securely access private web pages (e.g.,
`
`HTML documents) stored on an origin server located in a different private network. As an
`
`example, Kiuchi describes that for “hospitals and related institutions,” there is a need for
`
`“[s]ecure transfer of patient information” between hospitals, and that “medical information has to
`
`be shared among some hospitals, but it should not be made available to other sites.” Ex. 1018 at
`
`p. 64, § 5. Kiuchi describes that the C-HTTP protocol allows members of different institutions
`
`to communicate using “secure HTTP communication mechanisms” by way of intermediate
`
`proxies that are associated with each institution. Ex. 1018 at p. 64, Abstract. In particular,
`
`client-side and server-side proxies, working in conjunction with a C-HTTP name server,
`
`automatically and transparently perform specialized functions, such as name resolution and
`
`establishment of secure connections. The following Diagram 1 illustrates relevant parts within
`
`the C-HTTP system described by Kiuchi, and will be used to describe the C-HTTP system.
`
`Page 7 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 7
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`(Diagram 1)
`
`
`
`17.
`
`In particular, Kiuchi describes a process by which a client-side proxy, in one
`
`institution, establishes a secure C-HTTP connection with a server-side proxy, in another
`
`institution, using the C-HTTP protocol over the Internet. See Ex. 1018 at p. 64, § 2.1; p. 69, § 5.
`
`The C-HTTP connection uses encryption to provide a secure connection. Ex. 1018 at p. 64 §§
`
`2.1, 2.2. Through the secure C-HTTP connection, a user agent associated with the client-side
`
`proxy may request information stored on one or more origin servers associated with the server-
`
`side proxy. See id. In order to establish a C-HTTP connection, Kiuchi teaches discrete steps that
`
`are described in the following block diagram. See Ex. 1018 at pp. 65-66, § 2.3; see also, Diagram
`
`2, where each step is numbered to indicate a temporal sequence of the steps taught by Kiuchi.
`
`Page 8 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 8
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`(Diagram 2)
`
`
`
`18.
`
`In Kiuchi, the user agent can display HTML documents to an end-user. See Ex.
`
`1018 at p. 65, § 2.3. Through interaction with the user agent, the end user may, for example,
`
`select a hyperlink URL included within an HTML document. See id. Kiuchi provides an
`
`example of the selected URL:
`
`“http://server.in.current.connection/sample.html=@=6zdDfldfcZLj8V!i”, where
`
`“server.in.current.connection” is the hostname, “sample.html” is the name of the resource being
`
`requested, and “6zdDfldfcZLj8V!i” is a connection ID. See Ex. 1018 at p. 65, § 2.3.
`
`19.
`
`Diagram 3 illustrates the initial steps performed by Kiuchi’s system after the user
`
`selects the hyperlink (assuming that no C-HTTP connection exists). These steps include: (1) a
`
`request sent from the user agent to the client-side proxy for the selected URL; (2) a request from
`
`the client-side proxy to the C-HTTP name server for an IP address corresponding to the
`
`hostname included in the selected URL; and (3) a response from the C-HTTP name server to the
`
`client-side proxy that either includes the IP address associated with the server-side proxy or an
`
`error message. In the last step, if the C-HTTP name server returns the IP address of the server-
`
`Page 9 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 9
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`side proxy, then the client-side proxy begins a C-HTTP connection with the server-side proxy,
`
`and otherwise, in case of an error message, the client-side proxy performs a DNS lookup using
`
`the standard/public DNS, as illustrated by the dashed line in Diagram 3, below. See Ex. 1018 at
`
`p. 65, § 2.3.
`
`(Diagram 3)
`
`
`
`20.
`
`Analyzing these steps in further detail, when the end user selects the hyperlink in
`
`the displayed HTML document, the user agent sends a request for the selected URL to the client-
`
`side proxy, as illustrated by arrow (1) in Diagram 3. See Ex. 1018 at p. 65, § 2.3. When the
`
`client-side proxy receives the URL (including a hostname) from the user agent, in some cases,
`
`the client-side proxy attempts to establish a new connection with the host corresponding to the
`
`hostname included in the URL. See id.
`
`21.
`
`To establish a new connection with the host, the client-side proxy sends a request,
`
`as illustrated by arrow (2) in Diagram 3, to resolve the hostname included in the URL. See Ex.
`
`1018 at p. 65, § 2.3(2). The request from the client-side proxy to the C-HTTP name server is a
`
`request for a network address associated with a domain name (the hostname in the URL from the
`
`Page 10 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 10
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`user agent). In some instances, the hostname corresponds to an origin server behind a server-
`
`side proxy and is associated with the IP address of the server-side proxy. Ex. 1018 at p. 65, § 2.3.
`
`In other instances, the hostname instead corresponds to a server on the Internet outside the C-
`
`HTTP network. Ex. 1018 at p. 65, § 2.3.
`
`22.
`
`The request from the client-side proxy to the C-HTTP name server is initiated,
`
`through a clear causal chain of events, by the user agent when the user agent sends the original
`
`request for content associated with a hostname to the client-side proxy. In addition, Kiuchi
`
`discloses that the user agent is located behind a client-side proxy, which is “on the firewall of
`
`one institution,” and that the origin server is located behind the server-side proxy, which is “on
`
`the firewall of another institution.” Ex. 1018 at p. 64, §2.1. From the point of view of the C-
`
`HTTP name server, the request that it receives from the client-side proxy is initiated from the
`
`institution in which the client-side proxy is a member.
`
`23.
`
`Upon receipt of the request from the client-side proxy (arrow (2)), the C-HTTP
`
`name server first authenticates the client-side proxy to determine if the request is legitimate. See
`
`Ex. 1018 at p. 65, § 2.3. For example, Kiuchi describes that the communication between the
`
`client-side proxy and the C-HTTP name server is certified. Ex. 1018 at p. 65. In particular, the
`
`client-side proxy signs a request before sending it to the C-HTTP name server, which then
`
`verifies the signature in the request using a public key. Id. If successful, the C-HTTP name
`
`server authenticates the request as being legitimate. Id. When the request is legitimate, the C-
`
`HTTP name server determines whether the “server-side proxy [associated with the hostname] is
`
`registered in the closed network.” Id.
`
`24.
`
`If the C-HTTP name server confirms that the server-side proxy is not registered in
`
`the closed network, or if the connection otherwise is not permitted, then the C-HTTP name
`
`Page 11 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 11
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`server returns an error message, in response to which the client-side proxy performs a look-up
`
`with a standard/public DNS server, behaving like an ordinary HTTP proxy (as illustrated by the
`
`dashed line in Diagram 3). See id. The standard/public DNS server then returns to the client-side
`
`proxy an IP address of the host that corresponds to the hostname, which the client-side proxy
`
`uses to connect to the host on behalf of the user agent. See Ex. 1018 at p. 65, § 2.3.
`
`25.
`
`On the other hand, if the C-HTTP name server confirms that the server-side proxy
`
`is registered in the closed network and is permitted to accept a connection from the client-side
`
`proxy, then the C-HTTP name server sends a response to the client-side proxy’s request that
`
`includes “the IP address and public key of the server-side proxy and both request and response
`
`Nonce values,” as illustrated by arrow (3) in Diagram 3. See Ex. 1018 at p. 65, § 2.3. The client-
`
`side proxy then uses the IP address, public key, and request Nonce value to contact the server-
`
`side proxy and create a C-HTTP connection with the server-side proxy. See Ex. 1018 at p. 65, §
`
`2.3. The steps for doing so are illustrated in Diagram 4.
`
`26.
`
`In particular, Kiuchi describes that the client-side proxy, in response to receiving
`
`the IP address and public key of the server-side proxy, sends a “[r]equest for connection to the
`
`server-side proxy” that includes a symmetric key and other information (indicated by arrow (4)
`
`in Diagram 4). See Ex. 1018 at pp. 65-66, § 2.3, steps 3-5. The server-side proxy then performs
`
`a “[l]ookup of client-side proxy information” with the C-HTTP name server to determine if the
`
`client-side proxy is authorized to access the server-side proxy (arrows 5 and 6). Id. If the client-
`
`side proxy is authorized, then the server-side proxy sends confirmation of the C-HTTP
`
`connection to the client-side proxy (arrow 7). Id.
`
`Page 12 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 12
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`(Diagram 4)
`
`
`
`27.
`
`Considering these steps in further detail, the client-side proxy, in response to
`
`receiving the IP address and associated information from the C-HTTP name server, sends a
`
`request for connection to the server-side proxy, as illustrated by arrow (4) in Diagram 4. See Ex.
`
`1018 at p. 65, § 2.3. After receiving the request, the server-side proxy “asks the C-HTTP name
`
`server whether the client-side proxy is an appropriate member of the closed network,” as
`
`illustrated by arrow (5) in Diagram 4, and, in response, the C-HTTP name server “examines
`
`whether the client-side proxy is permitted to access to the server-side proxy.” Ex. 1018 at pp. 65-
`
`66, § 2.3. If the C-HTTP server determines that “access is permitted, the C-HTTP name server
`
`sends the IP address and public key of the client-side proxy and both request and response Nonce
`
`values” to the server-side proxy, as illustrated by arrow (6) in Diagram 4. Ex. 1018 at p. 66, §
`
`2.3. The server-side proxy then responds to the client-side proxy with a message that contains a
`
`symmetric key and other information, thereby establishing the C-HTTP connection. Id.
`
`28.
`
`Subsequently, a user agent (in the same institution as the client-side proxy) is able
`
`to securely access an origin server (in the same institution as the server-side proxy) using the C-
`
`Page 13 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 13
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`HTTP connection. Id. As a result, members of different institutions on the Internet can
`
`communicate, via client-side and server-side proxies, using “secure HTTP communication
`
`mechanisms.” Ex. 1018 at p. 64, Abstract.
`
`29.
`
`Kiuchi’s C-HTTP name server and standard DNS name server store a plurality of
`
`domain names and corresponding network addresses to resolve hostnames into IP addresses. See
`
`Ex. 1018 at p. 65, § 2.3(1)-(2). With respect to the C-HTTP name server, Kiuchi explains that
`
`when an institution wants to participate in the closed network, “it must [] install a closed-side
`
`and/or server-side proxy on its firewall [and] register an IP address . . . and a hostname” with the
`
`C-HTTP name server. Ex. 1018 at p. 65, § 2.2. As a result, the C-HTTP name server stores a
`
`plurality of hostnames of secure destinations and corresponding IP addresses (e.g., addresses of
`
`server-side proxies in multiple institutions), and uses that information to resolve hostnames into
`
`IP addresses in response to queries from authorized proxies. See Ex. 1018 at p. 65, §§ 2.2-2.3.
`
`The standard/public DNS also performs domain name resolution and, in order to do so, would
`
`need to store a mapping between the IP address and domain name. See Ex. 1018 at p. 65, §
`
`2.2(1); see also Ex. 1010 at p. 5. It was well known to one of ordinary skill in the art that the
`
`Internet is composed of multiple IP addresses and domain names. See, e.g., 1010 at p. 5.
`
`Therefore the standard/public DNS server would necessarily store a plurality domain names and
`
`corresponding IP addresses to resolve hostnames into IP addresses.
`
`30.
`
`One of ordinary skill in the art, prior to February 2000, also would have
`
`understood that hostnames and IP addresses that are stored at the C-HTTP name server and the
`
`public/standard DNS server are stored in a database. In particular, one of ordinary skill would
`
`have understood that, in response to a query for domain name resolution, a name server (e.g., the
`
`C-HTTP name server or a standard/public DNS name server) is, by its nature, configured to
`
`Page 14 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 14
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`search for a particular domain name amongst the plurality of domain names and corresponding
`
`IP addresses that it stores. See, e.g., p. 65, § 2.2(1). To permit such searching, the name server
`
`would necessarily have stored its plurality of domain names and corresponding IP addresses in
`
`an organized and persistent structure (i.e., a database). For instance, this knowledge of a person
`
`of ordinary skill was reflected in the publically available RFC 1034 (Ex. 1010), which discloses
`
`that a domain name database is used for domain name resolution.. See Ex. 1010 at §§ 3.1, 4.1.
`
`31.
`
`Furthermore, prior to February of 2000, one of ordinary skill in the art would
`
`understand that domain names included in the URLs described by Kiuchi (and thus stored in the
`
`name servers described by Kiuchi) would contain top-level domains, as was standard for the
`
`Internet,. For instance, this knowledge is reflected in the publically available RFC 1591 (Ex.
`
`1011), which describes the domain name system structure and notes that in “the Domain Name
`
`System (DNS) naming of computers there . . . are a set of what are called ‘top-level domain
`
`names’ (TLDs)” Ex. 1011 at 1. By showing standard domain name resolution in connection
`
`with the Internet, Kiuchi discloses that the domain names include “a top-level domain name.”
`
`Moreover, Kiuchi shows several examples of domain names that may be stored at the C-HTTP
`
`name server, including: “University.of.Tokyo.Branch.Hospital”. Ex. 1018 at p. 73, Appendix 3.
`
`In this example, one of ordinary skill in the art would understand “.Hospital” to be a top level
`
`domain, under that term’s broadest reasonable interpretation.
`
`32.
`
`Kiuchi further explains that “[e]nd-users…do not even have to be conscious of
`
`using C-HTTP based communications” and that “C-HTTP is transparent to both” the user agent
`
`and the origin server. Ex. 1018 at p. 68, § 4.2.1018 Therefore, Kiuchi describes that the C-HTTP
`
`connection between the user agent (via the client-side proxy) and the origin server (via the
`
`server-side proxy) would be established transparently to a user.
`
`Page 15 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 15
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`33.
`
`Furthermore, within each institution, Kiuchi describes various ways the
`
`computers and communications can be secured. For example, Kiuchi describes that “each
`
`member is protected by its own firewall” within the institution. Ex. 1018 at p. 64, abstract. As a
`
`specific example, Kiuchi describes that “in-hospital networks are usually protected using a dual
`
`home gateway and packet filter (firewall).” Ex. 1018 at p. 67, § 4.2. In addition to the protection
`
`offered by the firewall within each institution, for further security, Kiuchi describes that “it is
`
`possible to develop C-HTTP proxies which can communicate with other secure HTTP
`
`compatible user agents and servers.” Ex. 1018 at p. 69, § 4.4. Kiuchi explains that this optional
`
`configuration can further “assure end-to-end or individual security.” Id.
`
`34.
`
`In addition, Kiuchi explains that its system uses computing devices and software,
`
`which necessarily include a machine-readable medium comprising instructions executable in a
`
`domain name service system. For example, Kiuchi’s client-side proxy and server-side proxy are
`
`each described as containing computer readable instructions that cause each to implement the
`
`functions performed by those items. See Ex. 1018 at p. 65, § 2.2. In particular Kiuchi describes
`
`that the C-HTTP proxy software is provided as source code and provides, in the Appendices, a
`
`summary of the source code that can be used by various components of its system in
`
`implementing the functions that it provides. See Ex. 1018 at p. 69, § 4.4, p. 67, § 3(1), pp. 70-75.
`
`One of ordinary skill in the art would similarly understand the C-HTTP name server as
`
`containing one or more computer readable instructions that cause it to implement the functions it
`
`performs.
`
`35.
`
`The computing devices and software can be configured to provide various types
`
`of services that utilize communication protocols, various sessions, and application programs,
`
`such as e-mail. Kiuchi explains that its system is built on HTTP because of its flexibility in
`
`Page 16 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 16
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`permitting “distributed multimedia information systems with user- friendly graphical interfaces.”
`
`Ex. 1018 at p. 67, § 4.1. Kiuchi explains that any type of data that is transmitted via HTTP can
`
`be sent through its system, such as electronic mail, HTML documents, and multimedia. See id.
`
`For example, Kiuchi describes that the C-HTTP supports a user agent application that provides
`
`e-mail: “Internet news and electronic mail services are available with an HTTP-based graphical
`
`user interface via gateways for protocol conversions. Electronic mail services within a given
`
`group of institutions can be also developed using HTTP and CGI (Common Gateway Interface).”
`
`Ex. 1018 at 67, § 4.1(1).
`
`36.
`
`Kiuchi describes that HTTP was chosen as the basis for the C-HTTP system
`
`because HTTP supports various user agent applications designed for different platforms and C-
`
`HTTP is transparent to these various user agents and servers. See Ex. 1018 at p. 67, § 4.1, p. 68,
`
`§ 4.2.
`
`37.
`
`Kiuchi teaches a plurality of services that may be accessed “via gateways for
`
`protocol conversions.” Ex. 1018 at 67. Kiuchi further teaches that the services supported over
`
`the secure communication link can utilize a variety of communication protocols: “C-HTTP is not
`
`an alternative to other secure HTTP proposals, but it can co-exist with them. Although the
`
`current C-HTTP implementation assumes the use of HTTP/1.0 compatible user agents and
`
`servers, it is possible to develop C-HTTP proxies which can communicate with other secure
`
`HTTP compatible user agents and servers. If C-HTTP is used with these protocols, which assure
`
`end-to-end or individual security, both institutional and personal level security protection can be
`
`provided.” Ex. 1018 at 69, § 4.4 (emphasis added).
`
`38.
`
`Kiuchi further teaches that a client-side proxy is configured to process multiple
`
`different sessions with multiple different server-side proxies: “In C-HTTP, as different from
`
`Page 17 of 25 
`
`Petitioner Apple Inc. - Exhibit 1021, p. 17
`
`

`
`Attorney Docket No.: 38868-0005IP1
`U.S. Patent No. 7,418,504                          
`
`ordinary HTTP, a session (virtual C-HTTP connection) is established between a client-side
`
`proxy and server-side proxy and, thus, it is not stateless. The session is finished when the client
`
`accesses another C-HTTP server or an ordinary WWW server or when the client-side or server-
`
`side proxy times out. The following ad-hoc mechanism is employed to define a session in
`
`stateless HTTP/1.0-based communication between a client-side proxy and user agent.” Ex. 1018
`
`at 65. In other words, the client-side proxy is configured to transition from a first session (virtual
`
`C-HTTP connection) with a first server-side proxy to a second session (virtual C-HTTP
`
`connection) with a second server-side proxy.
`
`39.
`
`Kiuchi also teaches that the HTTP protocol supported by the secure C-HTTP
`
`closed network is capable of supporting a variety of services: “Different application level
`
`protocols have been developed for individual network services, such as FTP, SMTP, NNTP or
`
`GOPHER [5], [6], [7], [8]. HTTP has the flexibility to be able to provide services similar to
`
`those which have been provided by these protocols . For example, file transfer by FTP is
`
`accomplished by the object transfer mechanism of HTTP and, from a functional viewpoint, the
`
`Gopher protocol can be considered a subset of HTTP. Internet news and electronic mail services
`
`are available with an HTTP-based graphi