As I indicated on the release team call yesterday, I strongly object to pkinit using gak_data as a pin for access to smart cards. The reason is that confusing pins and passwords can be problematic and can lead to card lock outs. I think an API that took some slot identifier or token identifier and a pin and fed them to pkinit would be a great idea though.