FYI, I have completed a new I-D version for integration of Kerberos
(entwined with ECDH) into TLS. I announced it at the TLS-WG but thought
Kitten should know about it too.
The central choice made in this draft is to embed Kerberos Ticket +
Authenticator in the client X.509 Certificate, and use an Authenticator
as ClientVerify. This is awkward, but it means that the rest of the
integration with TLS is very smooth.