> One of the concerns raised was with the potential sharing of AES keys
> between servers. If a user wanted to use the same device with multiple
> YubiKey-enabled sites, they would need to share their AES key with all of
> the servers. If any one of those servers was compromised, it would allow an
> attacker to authenticate to any of the others.
Even worse, using the same key on multiple servers also allows a simple
replay attack where a valid login to server A is used afterwards to login
to server B. This works if both servers authenticate independently, since
the (monotonically increasing) serial number saved on B is not updated
when logging to A.
After reading the mail thread, it seems to me that the way out of this as
implemented by Fedora is that the user doesn't even know their AES key,
because the script writes it to the key automatically so they can't use
the same key elsewhere. That is, they don't say "don't do that, it's bad",
they say "it's ok because the script doesn't let you do that".