See http://mailman.mit.edu/pipermail/krbdev/2010-December/009732.html for more discussion. The security issue raised there is probably not worth worrying about, since old versions of TGT keys are already available for use by clients if they supply a kvno.