European Case Law Identifier: | ECLI:EP:BA:2012:T134008.20120516 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Date of decision: | 16 May 2012 | ||||||||
Case number: | T 1340/08 | ||||||||
Application number: | 02258089.8 | ||||||||
IPC class: | G06F 1/00 | ||||||||
Language of proceedings: | EN | ||||||||
Distribution: | D | ||||||||
Download and more information: |
|
||||||||
Title of application: | Centralized authentication for authorising access to network peripheral devices | ||||||||
Applicant name: | CANON KABUSHIKI KAISHA | ||||||||
Opponent name: | - | ||||||||
Board: | 3.5.06 | ||||||||
Headnote: | - | ||||||||
Relevant legal provisions: |
|
||||||||
Keywords: | Inventive step (no) Admissibility - second auxiliary request (no) Request to remit for examination of the second auxiliary request (no) |
||||||||
Catchwords: |
- |
||||||||
Cited decisions: |
|
||||||||
Citing decisions: |
|
Summary of Facts and Submissions
I. The appeal is directed against the decision of the examining division, with written reasons posted on 18 February 2008, to refuse the application 02258089. The reason for the refusal was lack of inventive step, in violation of Article 56 EPC 1973. The following documents were referred to:
D2 US 6 202 092 B1, 13 March 2001.
D1 EP 1 130 497 A, 5 September 2001.
II. A notice of appeal was received on 16 April 2008. The fee was received the same day. A statement of the grounds of appeal was received on 27 June 2008. A main and an auxiliary request were filed with the grounds. Oral proceedings were conditionally requested.
III. The board issued a summons to attend oral proceedings, raising objections with respect to original disclosure (Articles 123(2) EPC) and inventiveness (Article 56 EPC 1973).
IV. In a letter dated 16 April 2012, the appellant filed amended main and auxiliary requests, and two description pages.
V. Oral proceedings were held on 16 May 2012 during which the appellant filed a second auxiliary request. It also requested to remit the case to the first instance for examination of the second auxiliary request. At the end of the oral proceedings, the chairman announced the board's decision.
VI. The appellant requests to set the decision aside and to grant a patent on the basis of the main request (claims 1-21) or the first auxiliary request (claims 1-18) both filed with the letter dated 16 April 2012, or on the basis of the second auxiliary request (claims 1-19), filed during oral proceedings on 16 May 2012.
The further text is: description pages 1, 2, 5-28 as originally filed; page 3 as filed with letter dated 9 October 2006; pages 3a, 4 as filed with letter dated 16 April 2012; drawing sheets 1-13 as originally filed.
VII. Claim 1 of the main request reads:
"1. A method for controlling access to a networked peripheral device (6) by a user, wherein the networked peripheral device (6) is accessible by the user based on access management information, the networked peripheral device (6) providing at least one of a print service, a scan service, a facsimile service, and a copy service, and providing a plurality of features corresponding to the at least one service, the method being characterized by comprising: receiving, at a computer (1), from a server (8) access management information for identifying a service and a feature corresponding to the service of the networked peripheral device (6) available to a remote user or identifying a service and a feature corresponding to the service of the networked peripheral device (6) not available to the remote user in the service and the features corresponding to the service provided by the networked peripheral device (6); receiving, at the networked peripheral device (6), from the computer (1) the access management information and a job; determining, at the networked peripheral device (6), whether the remote user can use a service and a feature corresponding to the service of the networked peripheral device (6) necessary to perform the received job, based on the received access management information (S1106); and performing, at the networked peripheral device (6), the received job in a case that the remote user can use the service and the feature corresponding to the service necessary to perform the received job (S1109)."
VIII. Claim 1 of the first auxiliary request differs from claim 1 of the main request by the characterising portion:
"the method being characterized by comprising: if the user is a remote user remotely accessing the device via a computer (1): receiving, at a computer (1), from a server (8) access management information for identifying a service and a feature corresponding to the service of the networked peripheral device (6) available to the remote user or identifying a service and a feature corresponding to the service of the networked peripheral device (6) not available to the remote user in the service and the features corresponding to the service provided by the networked peripheral device (6); receiving, at the networked peripheral device (6), from the computer (1) the access management information and a job; determining, at the networked peripheral device (6), whether the remote user can use a service and a feature corresponding to the service of the networked peripheral device (6) necessary to perform the received job, based on the received access management information (S1106); and performing, at the networked peripheral device (6), the received job in a case that the remote user can use the service and the feature corresponding to the service necessary to perform the received job (S1109); and if the user is a local user locally accessing the device at the device (6): receiving, at the networked peripheral device (6), from the server (8) without the computer access management information for identifying a service and a feature corresponding to the service of the networked peripheral device (6) available to the local user or identifying a service and a feature corresponding to the service of the networked peripheral device (6) not available to the local user in the service and the features corresponding to the service provided by the networked peripheral device (6) (S306); determining, at the networked peripheral device (6), whether the local user can use a service and a feature corresponding to the service of the networked peripheral device (6), based on the received access management information without the computer (S307); and allowing, at the networked peripheral device, the local user to use the service and the feature corresponding to the service in a case that the local user can use the service and the feature corresponding to the service."
IX. Claim 1 of the second auxiliary request differs from claim 1 of the main request by the following (additions in italics):
"the method being characterized by comprising: receiving, at the server (8), from a computer (1) authentication information corresponding to a remote user; authenticating, at the server (8), the remote user based on the received authentication information; receiving, at the computer (1), from the server (8) access management information ... networked peripheral device, wherein the server (8) transmits the access management information for the remote user to the computer (1) after the server (8) authenticates the remote user; receiving, at the networked peripheral device ..."
Reasons for the Decision
1. Original disclosure
After discussing the issue during the oral proceedings, the board does not maintain the objection raised in the summons.
2. Inventiveness
2.1 Claim 1 of the main request
2.1.1 This claim is an amended version of claim 1 of the former main request filed with the first letter of reply dated 9 October 2006 and withdrawn during oral proceedings. It additionally contains in the preamble after "access management information" the expression:
"the networked peripheral device (6) providing at least one of a print service, a scan service, a facsimile service, and a copy service, and providing a plurality of features corresponding to at least one service".
It further replaces all occurrences (4) of the expression "a feature and/or a service" by "a service and a feature corresponding the service", and it adds "remote" to all occurrences of "user" in the characterising portion.
It additionally contains at the end of the first receiving step after "not available to the user" the expression:
"in the services and the features corresponding to the services provided by the networked peripheral device (6)".
The board considers most of these amendments to be acceptable clarifi cations. As to the formulation "providing at least one of a print service, a scan service, ..." see section 2.1.6 below.
2.1.2 In its summons and in its minutes of the oral proceedings, the examining division chose D2 as closest prior art to claim 1 of the former main request. The board agrees with that and considers D2 as the closest prior art to the current requests. Furthermore, the board agrees with the minutes of the oral proceedings (section 4.) that the embodiment of figure 4 in D2 is closer to the invention than the passages used in the summons. This is because in this embodiment, it is the printer with its "security validating portion 53" that checks with the help of the security data base on the file device 43 of the server computer 4 if a user with a certain ID is authorised or not to use certain features of the print service (like "color print", "woodfree paper", "print on both sides" or "stapler", see figures 3(a) and (b) and column 6, lines 33 to column 7, line 11).
2.1.3 It was argued in the grounds of appeal that "color print" and "print on both sides" were "functions" and that no "features corresponding to the functions" were disclosed in D2 (grounds, page 6, first paragraph). However, the description of the application discloses on page 12, line 12 the feature "color" of the service "print". Therefore, the board considers the expression "color print" of D2 as representing a service/feature combination in the sense of the application. The word "function" in D2 corresponds to "feature" in the application. Also "print on both sides" is considered as a service/feature combination since it characterises the way the print service is functioning.
In the terminology of the application, document D2 provides one "service", namely "print", with a number of "features".
2.1.4 In order to "use the security data base" (column 6, line 43), the printer has to receive parts of that database. This is confirmed by the passage on column 7, lines 1-8:
"In this way, information indicating a range of authority, including a maximum number of printable pages, usable printer functions, and status of use of the printer by the user are stored in the security data base provided in the file device 23. Upon receipt of a print request, print validating means 22b or 53 analyzes the print request in light of the user ID and the information in the security data base to determine either authorization or non-authori za tion."
This means that the "print validating means 53" (also called "security validating portion 53") of the printer in the embodiment of figure 4 receives a print request from the computer and information from the security data base of the server, and decides on the authorisation for this print request. The information from the security data base of the server in D2 is considered to correspond to the so-called "access management information" of the claim.
The appellant argued during the oral proceedings that the word "uses" in D2, column 6, line 43 did not mean "receives", but rather "acquires". The board does not find this convincing. The skilled person would normally understand the expression "using a database" to mean "sending a query to it" and "receiving the data from the database that corresponds to the query". Moreover, the skilled person would also understand that in order to "analyze the print request in light of the user ID and the information in the security data base", the printer has to receive the relevant "information in the security data base" from the server containing said data base, even if indirectly. In this context there is therefore no difference between "acquiring" and "receiving".
2.1.5 It follows that the only difference between claim 1 of the current main request and D2 is that in the claim the access manage ment infor mation is transferred from the server to the networked peripheral device in a two-step way with a "stopover" at the computer.
2.1.6 The fact that the networked peripheral device of the claim provides "at least one of a print service, a scan service, a facsimile serve and a copy service", but D2 only provides a print service, does not constitute a difference between claim 1 and D2 since one of the embodiments of the formulation "at least one of a print service, ..." is a device with only a print service.
2.1.7 As to a technical effect of the two-step transmission, the description is silent. It merely states on page 25, lines 14-16 and in steps S1104 and S1105 of figure 11 that there is this two-step transmission, without motivating it. The board also could not recognise any technical effect that would go beyond the immediate consequences of that transmission scheme.
2.1.8 The appellant argued during the oral proceedings that the two-step transmission via the computer had the technical effect that the access management information was available at the computer before sending the job to the device and that this would allow some further implementation possibilities, for example customising the user interface to offer only options which were in fact available to the user.
2.1.9 However, none of these implementation possibilities are claimed nor disclosed in the description. Instead the application clearly implies that the information is merely received at the computer and passed on to the peripheral without intermediate processing. The board cannot see how the mere possibility to produce another (more specific) invention by implementing such a possibility, departing from the claimed invention, could be the basis for an inventive step of the claimed invention. A technical effect must be present - at least potentially - in the claimed invention, but not in a potential invention to be implemented in an undisclosed way.
2.1.10 The appellant argued further that the two-step transmission enabled the computer to pre-check the print job before sending it to the device. The network load would thus be decreased.
2.1.11 Again this is an implementation possibility that is neither disclosed nor claimed, and departs in fact from the clear teaching of the application as a whole.
2.1.12 Therefore, the board agrees with the minutes of the oral proceedings before the examining division that the differences represented a mere design choice.
2.1.13 The appellant argued further that the distribution of the two tasks to two entities, namely the authentication by the server and the authorisation by the device, improved the security. Two distributed entities could not be corrupted as easily as one alone. In D2, column 3, lines 53-55, the authentication was done only at the printing device.
2.1.14 Again this argument is not convincing. Firstly, one could also argue that the security is decreased, and not increased with two distributed entities, since there are two vulnerable targets instead of one. Increased security would depend on further, undisclosed, features. And one has to install protection measures for two entities. Secondly, there is no authentication done in claim 1, only in dependent claim 3. The "access management information for identifying a service and a feature ... available to a remote user" contains authorisation information for a remote user who is not necessarily authenticated in claim 1 (i.e. checked if he is really the person he pretends to be). If, for the sake of argument, an authentication of the remote user at the server were to be included in claim 1, then the board would nonetheless consider it an arbitrary choice whether the computer sends the remote user's ID to the server which authenticates the remote user, or whether the computer sends the remote user's ID to the printer which authenticates the remote user and sends the ID to the server. Neither the application nor D2 consider authentication as a problem or as a point to be discussed. The appellant argued that, if it were to be added to claim 1 that the server did an authentication, there would be the technical effect that the load on the peripheral device would be decreased. The board accepted this point, but considered that it would be clear to the skilled person that this difference would in practice be insignificant, and could not, therefore, be the basis of an argument for an inventive step.
2.1.15 Thus, claim 1 of the main request is not inventive, in violation of Article 56 EPC 1973.
2.2 Claim 1 of the first auxiliary request
2.2.1 In addition to the features of claim 1 of the main request (i.e. the remote user scenario, e.g. for printing), claim 1 of the first auxiliary request contains the local user scenario (also called walk-up user scenario, e.g. for scan, copy and fax services).
2.2.2 The differences between claim 1 of the first auxiliary request and D2 are firstly the aforementioned difference between claim 1 of the main request and D2 (i.e. the two-step transmission), and secondly the second part of the claim relating to the local user scenario (i.e. from the expression "if the user is a local user locally accessing the device at the device (6):" to the end of the claim).
These two differences are independent of each other. They do not interact with each other, since they belong to mutually exclusive use scenarios.
2.2.3 Therefore the objective technical problem can be formulated as two partial problems: firstly, how to provide an alternative transmission scheme for the access management information; and secondly, how to extend the method for controlling access to a networked peripheral device in a local user scenario.
2.2.4 For the first partial technical problem the same holds as for the main request. As to the second partial technical problem, the board considers it obvious to the skilled person to use more or less the same access control scheme as for the remote user scenario. Since in the local user scenario, no computer is involved for the user to input his copy/scan/fax request, the simple transmission scheme (i.e. from the server to the device), implicitly disclosed in D2, would obviously be used.
2.2.5 The statement of the appellant during oral proceedings that neither D2 nor D1 disclosed the local user scenario did not convince the board. It was never contested that D2 only concerns the remote user scenario, but D1 discloses a multifunction printing device, and the need for both scenarios would be clear (e.g. see D1, paragraph [41], or paragraph [3] cited in the summons, section 6.3).
2.2.6 The appellant argued further that in the local user scenario of the invention, the device had the possibility to present a customised graphical user interface (GUI) to the local user containing only allowed services and features (see figure 7 and description page 2, paragraph 2).
2.2.7 However, this implementation possibility is not claimed. The wording "allowing, at the networked peripheral device, the local user to use the service and the feature ..." in the last step of claim 1 leaves it open whether the inputted user requests for services and features are checked for allowability, or whether the inputting means (GUI) are arranged in such a way that the user can only enter requests for allowed services and features. Furthermore, there are features such as the number of pages to be copied which are not usually entered via the keyboard, but are determined by the pile of paper put into the paper feed. Thus, exceeding the number of allowed copy pages for a local user cannot be prevented by a customised GUI. This limit would have to be checked after the user has entered the copy service request. Thus, there is at least one embodiment of the last step of "allowing" and one feature (for any embodiment of the "allowing" step) where the checking would be done as in the remote user scenario of D2, i.e. without a customised GUI.
2.2.8 Therefore, claim 1 of the first auxiliary request is not inventive, in violation of Article 56 EPC 1973.
3. Admissibility of the second auxiliary request
3.1 After the discussion of the main and the first auxiliary request during the oral proceedings, the appellant filed a second auxiliary request. Claim 1 of this new request is based on claims 1 and 3 of the main request, and is similar to the refused claim 1, filed during oral proceedings before the examining division. Note that the main request during appeal is based on the former main request withdrawn during oral proceedings before the examining division. Like the refused claim 1, claim 1 of the newly filed second auxiliary request contains the additional feature of the server authenticating the user in the remote user scenario. This was said to improve the security.
3.2 The appellant's representative justified the late filing of this request by the change of the representative during the appeal and by communication problems with the appellant.
3.3 These are however merely practical and personal explanations why the request was filed so late. The board had to balance these avoidable circumstances against the need for procedural economy according to Article 13(1) and (3) RPBA. In this respect it has to be noted, that the new request was prima facie unlikely to overcome the inventive step objection, as was clear from the discussion of a hypothetical amendment of the main request which had already taken place in the oral proceedings - see 2.1.13 and 2.1.14 above.
3.4 Therefore, the second auxiliary request was not admitted to the proceedings.
4. Allowability of the request for remittal
The appellant also requested to remit the case to the first instance for examination of the second auxiliary request. Since this second auxiliary request was not admitted, the request for remittal to examine the second auxiliary request cannot be allowed.
ORDER
For these reasons it is decided that:
The appeal is dismissed.