The web server doesn't have the bitcoin private key, and the problem I'm trying to solve is an order process where the web server doesn't have to communicate with bitcoin at all to generate the "pay me" address/link.
I was giving this exact problem some thought recently. My question is, how simple of a merchant site do you want to support? If the system is going to be handing out local transaction ids, then it has to generate them right?
The conclusion that I came to is that this can already be done. If you have to track orders anyway, then, why not pre-gen a number of addresses, and give the webapp a bulk load of them. Then, with each transaction, it marks each one as used, and ads it to tracking.... no bitcoin client needed until it is time to re-up the addresses.... which can be a manual process, or could be automated in some way.