random auth instead of well known?

[flihp]

When we ChangeAuth per #254 we use a well known auth value as a temporary method to auth w/ auth id 1 when we change the value in auth id 2. If something goes wrong and oks crashes between adding the temporary well known auth value and removing it we may be leaving ourselves w/ a problematic configuration: the YubiHSM will have a well known auth value. In this state we can't put the YubiHSM back into storage w/o creating a situation where a single role (the safe custodian) is able to use the YubiHSM to sign stuff.

The alternative is to use a random temp auth value. This will fail closed, but closed can be bad too. If we fail in the same place we wouldn't be able to access the YubiHSM again. In this case we would have to recover the YubiHSM from backup.

[flihp]

I've gone a different direction and instead of generating an auth value we're copying the old one to auth-id 3, removing it from auth-id 2, putting the new auth value into auth-id 2, then deleting the old one from auth-id 3. This has the benefit of allowing us to fall back to using the old value w/ auth-id 3 if we fail to export the new auth value.