[OpenID] signing 1 XRD for a million OpenIDs (was host-meta and "acct:")

[SitG Admin]

>The 1M user account OpenID URIs have not indicated that:
>1)  the XRD needs to be signed; or
>2) which signer(s) are legitimate.

Alternative to httpi - and perhaps less of a change than adding a new 
protocol - could the OpenID headers be used to declare a public key? 
Declarations of identity, delegation, XRD file; I'm not even sure 
anymore how many OpenID headers it is possible to have, or how many 
have been reassigned to the XRD file instead.

-Shade