What exactly are you going to man-in-the-middle? The only things being sent are public keys and signed assertions.

The tech isn't novel, but it's not crippled by client cert's terrible UI.

No, your browser only tells sites your email address when you tell it to. If you have multiple identities, you select which email address you want to present to the site.

Just to be clear, your email provider asks your browser to generate a new public/private keypair. The email provider only ever sees your public key.

To whatever site you decide to give it to. User intervention (at least one click in the browser chrome) is required.

(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)

It can be the same as with username/password authentication: when you log into your email provider, you see a box that says "store this login info", and you don't check it.

The same as when you use a different browser, or start using BrowserID for the first time:

You log into your email provider, which asks your browser to generate a key. Your email provider signs the key, and your browsers stores it.

There's no single keyair that you're totally dependent on.