On Jun 2, 2015, at 8:00 AM, <l.wood@xxxxxxxxxxxx> <l.wood@xxxxxxxxxxxx> wrote: > see TimBL's "don't break the web" request to keep the uris the same, regardless of method of access With hsts, Sir Tim's broken url objection goes away, I think. The idea of doing http and having a certificate appear as a UI indication that the document was downloaded securely is bad design. It's too easy to fake, and users typically don't understand anyway. The goal should be to make it secure, not to tell the users it is secure.