The fix for issue #7033 adds a default enctype to be used when no etype- info processing has been done. That addresses #2 and #3, although differently from the recommendation I came up earlier (I hadn't been thinking about optimistic preauth). So that just leaves #1.