Background

Now that pivit supports setting the PIN and touch policy for keys generated on specific slots, it'd be a good idea to set those policies to their default settings if no specific policy flags (--pin-policy, --touch-policy) were specified.

For now, if no policy flags were specified, pivit sets the policy to never require a PIN and always require a touch when accessing the key.

Context

The decision to set the default policy to PIN=never and touch=always was made since it provides the most convenient and frictionless user experience, especially when using pivit to sign git commits and tags.

But, it's considered less secure, and not a best practice.

What's needed?

Instead of setting the slot access policy to be hardcoded to the above setting of no policy flags were specified, we should set the PIN and touch policy to the secure defaults for each slot as specified in the PIV standard, and summarized here