When do you plan a future major upgrade of NK HSM2 hardware internals like in the beginning of 2019?
What is the most stable HSM2 firmware version?
What is the LATEST HSM2 firmware version ever shipped to anyone up to now July 2020?
How to verify its version from a host computer?
Do you always ship only the very latest versions of firmware after ordering from your shop?
If a wrong obsolete version of HSM2 firmware and/or hardware shipped can you replace the item for a free of additional charge and ship another HSM2 piece with the LATEST hardware/firmware after item you sent returned?
I have already purchased only NK PRO2 earlier and now thinking about getting a new NK HSM2.
For Nitrokey HSM2 I am not aware of any plans for H/W upgrade at the moment.
Firmware can be upgraded on both hardware lines.
One of the OpenSC status commands (pkcs11-tool AFAIR) shows the firmware version.
It should be mostly up to date on the buy day. It’s not really an issue, since the update is easy and could be done over the browser.
We do not send old H/W anymore, so you should never receive it. Additionally all smart card is tested during production on our side and before actual shipment takes place.
Please clarify defects or obsolescense in which features are fixable by firmware upgrade and what can be fixed only by replacing hardware (I mean a mass product line, not just a single buggy piece)?
Can it happen that in the nearest 1-3 years OpenSSH will release something not compatible with current HSM2 features, e.g. deprecation related to RSA keys or something like it and the only fix will be a replacement of hardware like HSM2 → HSM3 (new purchase) ?
I refer only existing features of OpenSSH, sure they can add support for something new yet not supported, but I am afraid of indirect deprecation of compatibility with HSM2.
I understand OpenBSD developers have good reasons to deprecate something like RSA-SHA1 mentioned in the:
Future deprecation notice
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the “ssh-rsa” public key signature algorithm that depends
on SHA-1 by default in a near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.