`
` U N I T E D S T A T E S P A T E N T A N D T R A D E M A R K O F F I C E
`
` _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
`
` B E F O R E T H E P A T E N T T R I A L A N D A P P E A L B O A R D
`
` _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
`
` E M C C O R P O R A T I O N
`
` P e t i t i o n e r
`
` V .
`
` A C T I V I D E N T I T Y , I N C .
`
` P a t e n t O w n e r
`
` _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
`
` I P R 2 0 1 7 - 0 0 3 3 8
`
` P a t e n t 9 , 0 9 8 , 6 8 5
`
` D E P O S I T I O N O F B . C L I F F O R D N E U M A N , P h . D .
`
` S e p t e m b e r 2 8 , 2 0 1 7
`
` 8 : 5 6 a . m .
`
`1 2
`
`3
`
`4
`
`5
`
`6 7
`
`8
`
`9
`
`1 0
`
`1 1
`
`1 2
`
`1 3
`
`1 4
`
`1 5
`
`1 6
`
`1 7
`
`1 8
`
`1 9
`
`2 0
`
`2 1
`
`2 2
`
`2 3
`
` V e r i t e x t L e g a l S o l u t i o n s
`
`2 4
`
` M i d - A t l a n t i c R e g i o n
`
` 1 2 5 0 E y e S t r e e t N W - S u i t e 3 5 0
`
`2 5
`
` W a s h i n g t o n , D . C . 2 0 0 0 5
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`IV 2006
`IPR2017-00338
`
`
`
`Page 2
`
` DEPOSITION OF B. CLIFFORD NEUMAN,
`
` Ph.D., a witness called on behalf of the
`
` Patent Owner, pursuant to the provisions of
`
` the Patent and Trademark Office Rules of
`
` Civil Procedure, before Jill Shepherd,
`
` Registered Professional Reporter,
`
` MA-CSR #148608, NH-CSR #128, CA-CSR #13275,
`
` CLR, and Notary Public, in and for the
`
` Commonwealth of Massachusetts, at the
`
` offices of Wilmer Hale, 60 State Street,
`
` Boston, Massachusetts, on Thursday,
`
` September 28, 2017, commencing at 8:56 a.m.
`
`1 2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
` Veritext Legal Solutions
`
`24
`
` Mid-Atlantic Region
`
` 1250 Eye Street NW - Suite 350
`
`25
`
` Washington, D.C. 20005
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
` APPEARANCES:
`
`Page 3
`
` WILMER CUTLER PICKERING HALE AND DORR, LLP
`
` By: Arthur C.H. Shum, Esq.
`
` Cynthia Vreeland, Esq.
`
` 60 State Street
`
` Boston, MA 02109
`
` Tel: 617.526.6667
`
` E-mail: arthur.shum@wilmerhale.com
`
` On Behalf of the Petitioner.
`
` STERNE KESSLER GOLDSTEIN & FOX
`
` By: Lori Gordon, Esq.
`
` Lestin Kenton, Esq.
`
` 1100 New York Ave. NW, Suite 600
`
` Washington, DC 20005
`
` Tel: 202.772.8862
`
` E-mail: lgordon@skgf.com
`
` lkenton@skgf.com
`
` On Behalf of the Patent Owner and
`
` Third-Party Licensee.
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`1
`
`2 3 4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`Page 4
`
` A L S O P R E S E N T :
`
` T h o m a s B r o w n , C o u n s e l
`
` E M C
`
` H o p k i n t o n , M A
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`1
`
`2
`
`3
`
`4
`
`5 6 7 8 9
`
`1 0
`
`1 1
`
`1 2
`
`1 3
`
`1 4
`
`1 5
`
`1 6
`
`1 7
`
`1 8
`
`1 9
`
`2 0
`
`2 1
`
`2 2
`
`2 3
`
`2 4
`
`2 5
`
`
`
`Page 5
`
` I N D E X
`
` WITNESS PAGE
`
` B. CLIFFORD NEUMAN, Ph.D.
`
` Examination by Ms. Gordon 6
`
` E X H I B I T S
`
` NO. DESCRIPTION PAGE
`
` (NO NEW EXHIBITS OFFERED)
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`1
`
`2
`
`3
`
`4
`
`5 6 7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 6
`
` P R O C E E D I N G S
`
` EXAMINATION BY MS. GORDON
`
` Q. Good morning, Dr. Neuman. Could you please
`
` state your full name for the record.
`
` A. Yes. It is Barry Clifford Neuman. I use B.
`
` Clifford Neuman, spelled C-L-I-F-F-O-R-D,
`
` N-E-U-M-A-N.
`
` Q. Thank you.
`
` And you understand that you are here
`
` today to testify regarding the testimony you
`
` submitted by declaration in the United
`
` States Patent and Trademark Office in the
`
` inter partes review of U.S. patent number
`
` 9,098,685?
`
` A. I do.
`
` Q. All right.
`
` And for purposes of today's
`
` deposition, is it okay if we refer to that
`
` patent as the '685 patent?
`
` A. Yes, it is.
`
` Q. All right. Thank you.
`
` Dr. Neuman, have you been deposed
`
` before?
`
` A. I have.
`
` Q. And how many times?
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 7
`
` A. Probably somewhere between about 15 and 20
`
` over the course of many years.
`
` Q. Okay.
`
` And were those related to litigations?
`
` A. Those were most -- well, some were related
`
` to IPRs, some to CBMs, some related to
`
` litigations in a patent cases. There was
`
` one in a contract case and then there was
`
` one having to do with an accident that I
`
` witnessed.
`
` Q. Okay.
`
` So you have been involved in IPR
`
` proceedings before?
`
` A. I have.
`
` Q. And you have been deposed in those
`
` proceedings?
`
` A. I have. In some of those proceedings.
`
` Q. In some of those.
`
` And have any of the proceedings that
`
` you mentioned in either the litigation or
`
` the IPRs happened in the last four years?
`
` A. Yes. Quite a number of those have.
`
` Q. All right.
`
` And do you have a CV that lists the
`
` litigation matters --
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 8
`
` A. My CV does not list those litigation
`
` matters. I do have a list elsewhere that I
`
` have provided in various cases.
`
` Q. Okay.
`
` And do you know if that list has been
`
` provided in this case?
`
` A. I do not recall offhand.
`
` Q. Okay.
`
` MS. GORDON: So Arthur, I don't
`
` think we have a list of his litigations --
`
` in this case, we don't have a list of his
`
` litigations, prior litigations, so if it
`
` would be possible to get a copy of that this
`
` morning, that would be great.
`
` MR. SHUM: Do you need it this
`
` morning or can it be after the deposition?
`
` MS. GORDON: If there's a way we
`
` could get it while the deposition would be
`
` open just in case there's some questions
`
` that we need to ask about.
`
` A. Well, I think that would only be possible if
`
` I were to go through my records, and that's
`
` not something that's going to be conducive
`
` timewise to this. I'm happy to do that
`
` after the deposition.
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 9
`
` Q. Okay. All right. Thank you. I can talk to
`
` Mr. Shum at the break and figure out how
`
` best to proceed on this.
`
` So did any of the litigation matters
`
` that you referenced involve EMC as the
`
` petition or the party you represented?
`
` A. I believe, and I'm not certain, but I
`
` believe this is the only matter that
`
` involved EMC.
`
` Q. Okay.
`
` And in any of those matters, have you
`
` been adverse to Intellectual Ventures?
`
` A. I have had matters, I don't recall if they
`
` were IPRs or if they were more district
`
` court where Intellectual Ventures in one of
`
` its instances -- I know you've got the I,
`
` the II, the III there, I believe I have had
`
` matters where Intellectual Ventures in at
`
` least one of those many instances may have
`
` been a party.
`
` Q. All right.
`
` And do you recall if that was an --
`
` those were IPR matters?
`
` A. I do not recall offhand.
`
` Q. But that would be something that would be
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 10
`
` reflected in your listing of litigation
`
` matters?
`
` A. That would be something that would be
`
` reflected in a listing of the litigation
`
` matters that I can construct given the time
`
` to do that.
`
` Q. All right.
`
` And have you constructed that list of
`
` litigation matters for any of your prior
`
` cases?
`
` A. I have constructed recent lists of
`
` litigation matters, yes.
`
` Q. Okay.
`
` So you have a copy of that you
`
` recently constructed?
`
` A. I would be able to find that list that would
`
` at least indicate those within the past five
`
` years.
`
` Q. All right. Thank you.
`
` So it seems like you've had a good set
`
` of experiences with depositions so I won't
`
` drill down into all the rules of a
`
` deposition; but at a high level, I do like
`
` to take breaks every 60 to 90 minutes. If
`
` there's a point during this deposition where
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 11
`
` you feel like you need a break, just let
`
` your attorney know, and we'll finish any
`
` questions that are pending and take a break
`
` at the convenience of the testimony.
`
` And, Dr. Neuman, is there any reason
`
` you cannot give truthful and complete
`
` testimony here today?
`
` A. No, there's not.
`
` Q. Dr. Neuman, when were you first contracted
`
` to work as an expert on this specific inter
`
` partes review matter?
`
` A. As to first contact, I don't recall
`
` specifically. As to when I began work on
`
` this matter, I believe to the best of my
`
` recollection that that was in the October
`
` time frame of 2016.
`
` Q. So October of last year, about a year ago?
`
` A. Yeah, about a year ago.
`
` Q. All right.
`
` And do you recall who first contacted
`
` you to work on this IPR matter?
`
` A. I don't recall specifically. I believe it
`
` was one of the attorneys, one of the
`
` attorneys working on the matter.
`
` Q. Was it an attorney from Wilmer Hale that
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 12
`
` contacted you?
`
` A. I believe that it was.
`
` Q. Okay.
`
` And was it an attorney you had worked
`
` on before in any of the other litigation
`
` matters?
`
` MR. SHUM: Objection.
`
` A. I do not recall it being an attorney that I
`
` worked on specifically. Worked on -- worked
`
` with specifically in a previous matter.
`
` Q. Okay.
`
` And are you retained by EMC to work on
`
` this matter?
`
` A. There's a lot of confusion due to recent
`
` mergers, so whether it is EMC or Dell, that
`
` entity is who I'm retained by.
`
` Q. Okay.
`
` And is that reflected in the agreement
`
` that you signed, which entity you are
`
` working for?
`
` A. One of those is reflected in the agreement
`
` that I signed. In the meantime, there have
`
` been various changes and things that have
`
` changed procedures, though not necessarily
`
` the original agreement.
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
` Q. When you say "changed procedures," is that
`
`Page 13
`
` who you are being paid by?
`
` A. How I submit my bills.
`
` Q. How you submit your bills.
`
` So who do you submit your bills to
`
` currently?
`
` A. I currently submit my bills, and this is
`
` still a point of confusion, but I believe to
`
` Dell.
`
` Q. To Dell. All right.
`
` And is that who you've always
`
` submitted your invoices to?
`
` A. As I indicated already, there was a lot of
`
` confusion, and I think at one point invoices
`
` were supposed to be submitted to EMC. There
`
` were changes in their billing systems, and
`
` at one interim point I submitted my bills
`
` through Wilmer Hale.
`
` Q. I see.
`
` And -- but today you submit them to
`
` Dell?
`
` A. Today I believe I am supposed to submit them
`
` to Dell, and the last one I submitted was to
`
` Dell.
`
` Q. Okay. All right. Thank you.
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 14
`
` So for other -- other than for
`
` purposes of this inter partes review
`
` proceeding, have you been retained as an
`
` expert to consult on the validity of the
`
` '685 patent?
`
` A. Sorry, can you repeat that?
`
` Q. Yes.
`
` So other than for purposes of this
`
` inter partes review proceeding, have you
`
` been retained as an expert to consult on the
`
` validity of the '685 patent?
`
` A. Other than this particular matter before the
`
` PTO?
`
` Q. Yes.
`
` A. I have not been retained to consult on the
`
` validity. But to clarify, I don't recall
`
` the specific terms in the retention letters,
`
` so it may have been generic. But I have not
`
` been asked to provide opinions for other
`
` things in this proceedings with respect to
`
` this '685.
`
` Q. Understood.
`
` To this point you have only been asked
`
` to opine on the validity of the '685 patent
`
` relative to this proceeding?
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 15
`
` A. And validity or invalidity, but, yes, only
`
` with respect to these proceedings.
`
` Q. Thank you.
`
` So Dr. Neuman, I'm going to hand you a
`
` number of documents that we will likely be
`
` referring to throughout the course of this
`
` deposition so you would have them in front
`
` of you in case you want to refer to them.
`
` So the first I'm going to hand you has
`
` been marked as Exhibit 1002 to this
`
` proceeding. And it's the Declaration of B.
`
` Clifford Neuman, Ph.D., regarding to U.S.
`
` patent number 9,098,685.
`
` Dr. Neuman, do you recognize this
`
` document?
`
` A. I do recognize this document.
`
` Q. All right.
`
` Would you like to take a few minutes
`
` to flip through it?
`
` A. (Witness reviewing document.)
`
` Okay. I have quickly scanned through
`
` this and this appears to be the document
`
` that I did submit.
`
` Q. Thank you.
`
` Did you review this document in
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 16
`
` preparation for today's deposition?
`
` A. I did.
`
` Q. And can you turn to page 81 in your
`
` declaration.
`
` A. I'm on page 81.
`
` Q. And is that your signature on page 81?
`
` A. That is my signature on page 81.
`
` Q. And you signed this on December 7, 2016?
`
` A. I signed that on December 7, 2016.
`
` Q. All right.
`
` And did you sign electronically or by
`
` ink?
`
` A. I signed the final page by ink, which I then
`
` scanned and returned to the attorneys.
`
` Q. Right. Thank you.
`
` So I'm going to hand you a second
`
` document, which has been labeled
`
` Exhibit 1001 to this proceeding, and this is
`
` U.S. patent number 9,098,685, Hamid.
`
` Dr. Neuman, do you recognize this
`
` document?
`
` A. I do recognize this document.
`
` Q. And did you review this document in
`
` preparation for today's deposition?
`
` A. I did review this document in preparation
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 17
`
` for today's deposition.
`
` Q. Next I'm handing you what's been marked as
`
` Exhibit 1011 to this proceeding. And this
`
` is U.S. patent number 6,691,232 to Wood,
`
` et al.
`
` And Dr. Neuman, do you recognize this
`
` document?
`
` A. I do recognize this document.
`
` Q. And did you review this document in
`
` preparation for today's deposition?
`
` A. Yes. I did review this document in
`
` preparation for today's deposition.
`
` Q. And the final document I'm handing you has
`
` been marked as Exhibit 1005. And this is a
`
` document titled "Access Control Framework
`
` for Distributed Applications" by Clifford
`
` Neuman and Tatyana Ryutov.
`
` A. Ryutov.
`
` Q. And Dr. Neuman, are you one of the listed
`
` authors of this document?
`
` A. I am one of the listed authors of this
`
` document.
`
` Q. And do you recognize the document that I
`
` just handed you that has been marked as
`
` Exhibit 1005 as the document you drafted?
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 18
`
` A. I do recognize this as the document that I
`
` drafted in that time frame.
`
` Q. All right. Thank you.
`
` And did you review this document in
`
` preparation for today's deposition?
`
` A. I did review this document in preparation
`
` for today's deposition.
`
` Q. Thank you.
`
` So before we get into your declaration
`
` and the references in front of you, I'd like
`
` to talk a little bit about terminology in
`
` the security field.
`
` Dr. Neuman, how long have you been
`
` working in computer security?
`
` A. I've been working in computer security since
`
` roughly about 1984.
`
` Q. Okay.
`
` So that's about 35 years almost, 33,
`
` 34 years?
`
` A. About 33 years.
`
` Q. All right.
`
` And do you currently teach a class in
`
` computer security?
`
` A. I do currently teach several classes in
`
` computer security.
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 19
`
` Q. And what university are you employed by?
`
` A. By the University of Southern California.
`
` Q. And what are the classes you currently teach
`
` in computer security?
`
` A. Well, this semester two classes that I'm
`
` teaching in CSCI 530, Computer Security
`
` Systems and Informatics; 523, Information
`
` Assurance, both of which are related to
`
` computer security.
`
` Q. Thank you.
`
` And based on your experience in
`
` computer security, what is your
`
` understanding of the term "authorization"?
`
` A. When I use the term "authorization" I am
`
` referring to the process of -- and this is
`
` in the general terms as opposed to how it's
`
` used in the patent, but I use
`
` "authorization" to describe the process of
`
` determining whether access is allowed to a
`
` particular object or resource. It can also
`
` be used in the affirmative sense of granting
`
` authorization, but usually when we're
`
` talking about it, we're talking about making
`
` the determination.
`
` Q. And you use the term "object or resource."
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
` What do you mean in this context by
`
`Page 20
`
` "object or resource"?
`
` A. When we --
`
` MR. SHUM: Objection.
`
` Q. Let me break that down.
`
` What did you mean by the term "object"
`
` in the context of your definition of
`
` "authorization"?
`
` A. "Object" would be -- well, when we think of
`
` policies, which are applied in the
`
` authorization process, you have a subject
`
` and an object. The subject is the entity
`
` that is performing an action; the object is
`
` the entity on which the action would be
`
` performed if authorization is provided. In
`
` other words, authorization is determining
`
` whether access is to be granted to whatever
`
` resource, and that's what I mean by
`
` "object."
`
` Q. All right. Thank you.
`
` And in the context of your definition
`
` of "authorization," what did you mean by the
`
` term "resource"?
`
` A. Again, "resource" and "object" in the case
`
` of "authorization" are more or less
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 21
`
` interchangeable. It is what is to be
`
` accessed and -- well, using language terms
`
` "subject"/"object," it is what the request
`
` to act upon something is, that something is
`
` the object, that something is the resource.
`
` Q. All right. Thank you.
`
` So "resource" and "object" are
`
` interchangeable in that answer?
`
` A. In that particular answer "resource" and
`
` "object" are interchangeable.
`
` Q. All right. Thank you.
`
` And what is your understanding of an
`
` authorization method?
`
` A. So, again, in the general terms as opposed
`
` to how it's used in the context of these
`
` particular proceedings, when we think about
`
` an authorization method, it would be the
`
` method of determining whether such access is
`
` to be granted.
`
` Q. And what is used in an authorization method
`
` to determine whether access is to be
`
` granted?
`
` A. There are a lot of different factors that
`
` could be used to determine that. So the
`
` authorization method could include
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 22
`
` consulting various conditions. It could
`
` include determining among those conditions
`
` things like identity, so if you have an
`
` identity based authorization method, it
`
` could encompass the steps of authentication
`
` to determine what that identity is so that
`
` that identity could be compared against a
`
` list of authorized users. An authorization
`
` method could be separate from identity where
`
` it might be based simply on time of day,
`
` might be based on, if you look common
`
` mandatory access controls, things like
`
` security levels, it could be based on
`
` payment. So there are many different
`
` methods that could be used for
`
` authorization.
`
` Q. All right. Thank you.
`
` And you used the term "authentication"
`
` in your answer.
`
` What is "authentication"?
`
` A. Again, in the general context in terms of
`
` art, "authentication" is, if you are talking
`
` about one form of authentication called
`
` entity authentication, are the steps by
`
` which one would verify the identity of a
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 23
`
` principal or a subject.
`
` Q. Okay. All right.
`
` And you used the term "principal."
`
` What do you mean by "principal"?
`
` A. So "principal" is another term that is
`
` commonly used in the security literature to
`
` describe a subject. It is an entity with an
`
` identity or with rights that acts upon other
`
` objects.
`
` Q. I see.
`
` So when I go to my computer and submit
`
` a print job, am I principal?
`
` A. So when you go to your computer and request
`
` to submit a print job, you would be a
`
` principal. Additionally, the program that
`
` you are running that is submitting that
`
` print job would be running with certain
`
` rights that are derived from you so we would
`
` consider that process or that program in the
`
` instance in which it is running to also be a
`
` principal.
`
` Q. And when you refer to authentication in the
`
` sense of entity based authentication, does
`
` that involve authenticating the application
`
` as well as the user behind the application?
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 24
`
` A. Well, usually within a computer system the
`
` only thing that is really performing the
`
` actions is the software process.
`
` Q. Okay.
`
` A. And usually what we end up doing is
`
` authenticating that process as having an
`
` identity that we usually associate with an
`
` individual. So as far as the computer is
`
` concerned, it doesn't really know who's
`
` sitting on the keyboard, but you've logged
`
` in, which has provided, in essence, your
`
` identity to the process that you are running
`
` and it is that identity associated with the
`
` process that is being authenticated.
`
` Q. And what are common techniques for
`
` authenticating an entity, the identity of an
`
` entity?
`
` A. Well, you know, as we teach in my classes,
`
` there are sort of three categories. There
`
` is something you know, which can be things
`
` like passwords, can be things like knowledge
`
` of an encryption key, other kinds of things
`
` that you might know.
`
` A second category would be something
`
` that you have. For example, possession of a
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 25
`
` smart card, possession of a special token, a
`
` piece of hardware which would be used in
`
` conjunction with the process; so that would
`
` be a second form or second factor, as we
`
` call it.
`
` And the third approach is -- well, at
`
` least as I describe it -- is something about
`
` you, which is what is commonly referred to
`
` as biometrics. Could be a fingerprint scan
`
` or IRS scan, a retina scan. You know, if
`
` you look at some movies, it could be how you
`
` walk, how you type, other sorts of things.
`
` Q. So you would consider those to be
`
` authentication methods?
`
` A. We consider those to be basis -- to form
`
` bases upon which authentication could be
`
` performed.
`
` Q. Okay.
`
` A. And I think it would be fair to describe
`
` those as methods, yes.
`
` Q. Okay.
`
` And what is your understanding of the
`
` term "access control" in computer security?
`
` A. So "access control" is often used in the
`
` same context as "authorization" now. In my
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 26
`
` earlier discussion I said "authorization"
`
` could be a couple of different things, but
`
` typically what we're talking about is a
`
` process of determining whether access to an
`
` object is allowed. And that aspect of
`
` "authorization" is also very often
`
` interchangeably referred to as "access
`
` control."
`
` Q. I see.
`
` So oftentimes "access control" is
`
` assumed in the terminology "authorization"?
`
` A. Oftentimes "access control" is assumed in
`
` certainly one of those meanings of
`
` "authorization."
`
` Q. All right.
`
` And what is your understanding of a
`
` "security policy"?
`
` A. A "security policy" is a set that contains
`
` rules that are used to determine whether
`
` access is to be granted.
`
` Q. And is a "security policy" associated with
`
` what you referred to as a "target"?
`
` A. I don't think I used the word "target."
`
` Q. Okay. Sorry.
`
` A. Please repeat.
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 27
`
` Q. Yes. Sorry.
`
` Is a security policy associated with
`
` an object?
`
` A. A security policy may be associated with an
`
` object. You can have a security policy that
`
` is associated with multiple objects. So a
`
` policy certainly can be associated with an
`
` object. You can have security policies also
`
` that are general statements that apply, in
`
` essence, across the board to all objects.
`
` Q. And how are policies enforced?
`
` A. So when one is talking about the policies
`
` that are enforced by authorization methods,
`
` for example, those policies are first read,
`
` and then, if necessary, conditions are
`
` evaluated to determine whether the result of
`
` applying those policies is to grant or to
`
` deny access. The particular authorization
`
` methods that are called for within the
`
` particular policy are evaluated according to
`
` the particular method that is described.
`
` Q. All right.
`
` So you said within the particular
`
` policy there can be authorization methods.
`
` Is that what your answer --
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 28
`
` A. So my answer talked about authorization
`
` methods. And just to clarify, we're talking
`
` in the general terms here, rather than the
`
` term "authorization" as it exists in this
`
` patent. I need to just reassess if we were
`
` talking about that.
`
` Q. Right. No. I understand. I'm asking you
`
` about your general understanding of the
`
` plain and ordinary meanings of these terms.
`
` So in a policy, what types of
`
` authorization methods would you have
`
` specified?
`
` A. If one was talking about what we call
`
` "mandatory access controls," sometimes
`
` referred to as "multilevel security," you
`
` can have a clearance that is associated with
`
` a subject or user, and you can have a
`
` classification that is associated with an
`
` object, and you look to see whether the
`
` clearance -- the technical term we use is
`
` "dominates," but basically is greater than
`
` or equal to what the classification of the
`
` object is.
`
` Another example would be in an
`
` identity-based authorization method, you
`
`Veritext Legal Solutions
`215-241-1000 ~ 610-434-8588 ~ 302-571-0510 ~ 202-803-8830
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`Page 29
`
` would look to determine what the identity of
`
` the subject is, and you would compare that
`
` against an access control list that
`
` described and listed those subjects that are
`
` authorized to access a particular object,
`
` and you make the assessment based on that.
`
` If you look at other kinds of
`
` conditions that can exist within
`
` authorization methods, you might have a
`
` condition that is indicative of time of day,
`
` could be indicative of a kind of connection,
`
` could be indicative of a location or other
`
` kinds of things. So you've got a lot of
`
` different methods that can be used, a lot of
`
` different things that can be consulted in
`
` making such an access control decision.
`
` Q. I see.
`
` And those would be part of a policy
`
` that was defined?
`
` MR. SHUM: Objection.
`
` A. The policy that was defined would indicate
`
` what conditions need to be met.
`
` Q. Right.
`
`