This means that ideally, customer payment & redeem tx would end up in the same block, and no delay would be added compared to the current situation.
The customer tx is what enables the confirm button, which thus shows the customer its payment was made to the proper address, and the merchant can confirm the amount as well.
However as long as the merchant as not issued his redeem tx, and this tx as not been confirmed, the customer can issue a tx to recover his funds.
My proposal would not involve sending of any private key, or any form of data exchange between customer & merchant beyond the customer clicking on a confirm button.
Rephrased for clarification the scenario:
Merchant displays
Client sends money to the above output (tx1)
Merchant sees transaction and requests confirm
Client confirms - Merchant honest
Client clicks confirm button
Merchant spends the tx1 to another private address with tx2
No fragile time limit or requirements, merchant waits for 1-3 confirmations on tx2 (which also means at least 1-3 conf on tx1, since tx2 depends on it)
Client cancels - Merchant honest
Clients does not click confirm, but issues a tx3 that spends tx1 back to his own private wallet.
Merchant has nothing to do, can detect tx3 and show the transaction was canceled.
No time limits or expiration at the blockchain level, only expiration would be in merchant UI.
Client dishonest - Merchant honest
Client clicks confirm, but issues a tx3 while or before merchant issues a tx2.
This is a blockchain race, only one will be accepted, or both will rejected, but merchant is safe as it only waits for tx2 confirmations, which will not happen if tx3 wins.
Client honest - Merchant dishonest
Merchant issues tx2 immediately and gets the funds. This case is not protected, but is not different from the merchant accepting the funds honestly, but not delivering anything.
So to summarize, the main difference between yours and mine is that my approach does not require an exchange of private key or a communication protocol, and customer can recover his funds even in case the merchant UI failed during payment (for whatever reason), as long as the merchant is honest. There is also no time constraint of any sort.
The use of a special address scheme rather scripts would be to make it visually obvious and unambiguous to users.
The lack of blockchain-based time constraint means that it also opens scenarios where multiple people contribute freely to a common fund with a public contribution address, without involving multi sigs or complex private keys exchanges, for instance:
Charles wants to raise fund for project X (kickstarter-style, charity, etc.), to be redeemed on august 30, shows a R address for contribs to that project
- Alice sends 1 BTC to the R address
- Bernard sends 2 BTC to the R address
- Daniel sends x BTC, etc..
- A few days later, Alice changes here mind, and recovers her funds.
- On august 30, Charles transfers all R funds to his own address, and starts work on Project X
Alice did not need anyone to recover her funds, and Charles did not need to issue anything or manage anything to have Alice recover her funds.
OP_RETURN could optionally be used to pass along metadata about the contributions, so that everything could be blockchain-based.