Nico also suggests making gic_keytab use encrypted timestamp preauth (http://mailman.mit.edu/pipermail/krbdev/2012-July/010999.html), and making the KDC use the encrypted timestamp key as the reply key. These are both reasonable ideas, but the former may have some edge cases.