Formalize the contract of PasswordPolicyResponse by stating that -1 is returned if no value is set.

The rfc makes timeBeforeExpiration, and graceAuthNsRemaining optional, but the PasswordPolicyResponse has them as primitives (no null). The best value for unspecified is -1 and that is what the impl is currently returning, but it would be good to make that explicit in the javadoc (to avoid having to check for any value < 0).