I'd rather see an RFC written up with where we want to go with user auth. I know your idzeas differ from Aryeh's work on the issue, so I'd rather see all that stuff worked out before more code gets put in core.
Just my opinion though.
I was planning on extending the current auto-auth code to support normal core features like session checking and user creation. I can draft up an RFC though. It'll be a good exercise for some of the future auth changes I want to make ;).
V/r,
Ryan Lane