I still insist that you don't need to control enctypes in gssd or in the kernel, but, be that as it may, if you're going to go down this path then the GGF proposal for extending credentials may be the way to go.