if there is only one ssl/tls-implementation then qemu-kvm should only have a ssl-flag, gnutls should only be used if there are more then on implementation (i.e. you can use openssl or nss instead). If I specify ssl in my global USE flags I expect that every package that has optional ssl/tls functionality should have them enabled, and gnutls/nss/openssl should only be used when I want to diverse from the ebuild default (if there is more then one implementation).
Point me to the policy on this.