I mostly agree with what you say. I will however strongly object if there is an attempt to use keyprov for Kerberos and it's not a good fit. So, provided that we're all clear that a Kerberos-specific protocol is better than a bad match between Kerberos and keyprov, your text seems OK to me.