Your proposal sounds good. Two notes:
Jabber already has the who's online function and if I'm not mistaken it is already uploaded to OpenACS.
How about adding the possibility for password changing drivers (using a secure connection, the OpenACS system has the capabilities through it's interface to change the password at the remote domain).
Curious as I am, how much of this is already covered by funding, what parts will be missing and when are you aiming to deliver.