Here are the first proposed extensions PIDK, allowing the derivation of shared keys through the hub from the user PIDs and ECID allowing for the use of elliptic curve cryptography to identify clients (including MITM avoidance when using SSL connections).
Where exactly are these proposed extensions, I see neither links or attachments in your post.
Regarding MITM that is already covered by a pre-existing extension (ie. KEYP), however, I do concur that the current state of the implementation needs some more work in that a) certificate validity periods fluctuate a lot (from 10 days to one year and b) clients to my knowledge currently has no implementation for hot swapping its certificate when it does expire.
Without seeing anything you have worked up, I will say this much… anything that deals with PID directly has to be cryptographically irreversible and safe. Anything that can be translated back to a users PID can not be transmitted over the network to other users.