set up a hidden service without using a filesystem directory?

In the original hidden services model, the expert user would set up a directory on the disk somewhere, edit her torrc to configure a hidden service to write its hostname and key in that directory, start tor, and go look in that directory to find out the new name for the hidden service.

That model sucks if we want hidden services to be easy and safe for ordinary users.

In particular, there are two reasons why it's bad. First, the Tor client runs as whatever user it runs as, and the user needs to pick a directory that Tor can write to and read from. Where that might be probably varies from Linux distro to distro. Second, the private key of the service gets written unencrypted to disk. We could imagine expert users who know how to handle that, but we can also imagine that most users won't.

So it would be good to make an easier way to do it. One way would be to allow controllers to set up hidden services. The controller could even remember the key (and store it in a safe way), and import it to Tor when it connects to the control port. (We don't want controllers generating hidden service keys though -- that's Tor's job.)

I could imagine an API in the control protocol that allows this -- with operations like "make me a new hidden service and tell me the key" or "here's the key, please set up a hidden service". I wonder if there's a more general way to extend the controller protocol though?