How about this scheme: Require IDPs to support serving both http and https ID URLs, with both required to map to the same identity. But relying parties can choose which to support, so RPs that do sensitive things will only support https URLs, while PhpBBs and similar applications can use the less secure http URL.