In a world where there are online CAs issuing client certificates it is
important to not allow the endtime of a ticket acquired with PKINIT to
extend past the notAfter of the client's certificate.  Otherwise there
is the risk that a user can cycle a forever credential by using Kerberos
to acquire a client certificate and then the client certificate to
acquire a TGT, repeatedly getting a 10 hour (or whatever is configured)
extension, and thus avoiding the need to periodically engage in initial
[pre-]authentication.

This should apply to all pre-authentication methods where the method
involves expiring credentials, and indeed, it already applies to PA-TGS
for example.

Not applying the client certificate's notAfter to the issued ticket's
endtime is only a serious bug in environments that also operate online
CAs that issue client certificates good for PKINIT to clients
authenticated with Kerberos.  In the context of as-originally-intended
deployment, this is not a serious bug.