You are correct. The theory is that if the trusted domain X is willing to embed links that point to domain Y, then the browser should be ok with it to. No additional notification passed to the browser.
When EV certificates came out (the super HTTPS verification that turns the address bar green), Opera developers and the standards body had differing opinions about this very issue. http://my.opera.com/yngve/blog/2008/05/23/lowering-the-ev-ba... I bring this up to show that it is a tricky issue and even experts in the field disagree about it.
I need to look further, but so far it appears to me that when one chooses in a browser to view the certificate chain of a secure page, where that secure page references secure content from/using third party domains/certificates, only the certificate chain of the top level page is displayed. The other certificate chains involved are essentially hidden unless one views the page source or runs a traffic sniffer. Is that correct?
If so, I'd prefer an option to see all the certificate chains involved in loading a page's content. Maybe most users won't care, but some will, and it would keep those details from remaining hidden or difficult/time consuming to access.
Somewhat related to this, I continue to be somewhat frustrated at the amount of dialog navigation that is required to view certificate chains in some browsers (e.g. Firefox 3 made the chain viewing dialog deeper nested within a hierarchy of dialog navigation).
My perspective is that, even when users don't fully understand an item, they are good at noticing changes -- we're wired to do so. If the chain is easily accessed, and users are taught to give it a glance, they are likely to notice if/when it changes, particularly for regularly visited sites. They may not know exactly what is going on, but it would likely be enough to inject caution and a google (twitter, whatever) for answers.
What does this have to do with the URL scheme though? With or without it, secure pages can embed links to other secure pages on other domains. Whether the protocol is explicit in the markup does not change the browsers ability to mix content from multiple secure domains.
I was asking a separate question, making a separate comment. Sorry if it seems too far off from the original article's topic, but cninja seems to have a lot of background in this area. I though that if he or another chose to respond again, it might clarify things for me, and maybe some other readers.
Perhaps I should have waited before responding; I'm (still) feeling kind of off, today. Apologies to anyone annoyed by my contributions here.
When EV certificates came out (the super HTTPS verification that turns the address bar green), Opera developers and the standards body had differing opinions about this very issue. http://my.opera.com/yngve/blog/2008/05/23/lowering-the-ev-ba... I bring this up to show that it is a tricky issue and even experts in the field disagree about it.