I've reviewed the RFCs and am pretty familiar with Kerberos.
It seems to me that over a non-encrypted link (HTTP), Kerberos doesn't leak the user's password (or hash based challenge/response like NTLMv1/v2) and/or is susceptible to a reply attack.
In a properly designed implementation of Kerberos, is HTTP authentication considered secure over a non-encrypted link?