OASIS PKCS 11 TC

I'm moving NSS to use the PKCS #11 v3.2 mechanisms, particularly the
CKM_TLS12_EXTENDED_MASTER_KEY_DERIVE

To handle any backward compatibility I've added a check to see if the
token supports CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE if it doesn't
support CKM_TLS12_EXTENDED_MASTER_KEY_DERIVE

Mozilla doesn't think this is necessary, and my use case is some
hardware vendor using our mechanism to support a full TLS chain in NSS,
so my question is do any of the hardware vendors on this list support
our vendor specific mechanism, or can I just dispense with the check and
move forward with using CKM_TLS_EXTENDED_MASTER_KEY_DERIVE?

(basically my presumption was incorrect, the mozilla is right and we
don't need the test).

Bob,

Utimaco's PKCS#11 provider does not support CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, neither does any of our tools use it.

------------------------------
Best regards,
Dieter
------------------------------

Original Message:
Sent: 08-19-2025 21:07
From: Robert Relyea
Subject: Anyone using NSS vendor specific mechanisms?

I'm moving NSS to use the PKCS #11 v3.2 mechanisms, particularly the
CKM_TLS12_EXTENDED_MASTER_KEY_DERIVE

To handle any backward compatibility I've added a check to see if the
token supports CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE if it doesn't
support CKM_TLS12_EXTENDED_MASTER_KEY_DERIVE

Mozilla doesn't think this is necessary, and my use case is some
hardware vendor using our mechanism to support a full TLS chain in NSS,
so my question is do any of the hardware vendors on this list support
our vendor specific mechanism, or can I just dispense with the check and
move forward with using CKM_TLS_EXTENDED_MASTER_KEY_DERIVE?

(basically my presumption was incorrect, the mozilla is right and we
don't need the test).