Set default ee_policy to allow certificates with any keyUsage

[U-238]

webpki_defaults_ee() still requires a certificate to have the "TLS Web Client Authentication" extended key usage, which should not be required for signing XML documents.

This PR changes the default to permit_all(), which will allow documents to be signed using any certificate regardless of key usage extensions specified in the certificate.

[U-238]

This PR also fixes the type hints for the ee_policy and ca_policy arguments

[kislyuk]

Hmm, relaxing to no requirement at all also seems wrong. I think what you originally proposed is the right thing to do.

I decided to go ahead and migrate to your originally proposed behavior, requiring digital signature key usage by default, documenting an escape hatch, and fixing up the tests to use the permissive policy for legacy test cases.

Thanks for pushing on this. Let me know if anything else about the API doesn't make sense and I'm happy to work with you to update it.

Released in v5.0.0, please test.