Rather than sign the xrd wit rsa and public cert, can we also imagine signing with a username token, where the digested password is the existing openid association handle for that rp? (username token would have STD timestamp and nonce, to address replay)