On Jun 2, 2015, at 8:00 AM, <l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk>
<l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk> wrote:
see TimBL's "don't break the web" request to keep the uris the same,
regardless of method of access
With hsts, Sir Tim's broken url objection goes away, I think. The idea of doing
http and having a certificate appear as a UI indication that the document was
downloaded securely is bad design. It's too easy to fake, and users typically
don't understand anyway. The goal should be to make it secure, not to tell the
users it is secure.