Thanks for the link to the wikipedia page in the other thread... so receiver CAN recover 'k' given the public key and signature.
Thanks for bearing this useful fact in mind.
Another thing to consider, once any coins associated with an address have ever been spent then the public keys associated with that address are public by virtue of the signature in the transaction. If the merchant's public key is available in this fashion then the customer and merchant can generate a shared secret using Diffie-Hellman key agreement or some similar scheme. This shared secret could be used as the "authentication key" mentioned in the wikipedia article.
Of course, if you're thinking of now enabling currently forbidden scripting features then a lot of options become available.