I wondered about bringing that up, that embedding HTTPS with iframe seemed to defeat the purpose of using HTTPS... But the real issue is that mixing the two protocols at all defeats the purpose, no matter how it's attained.
So I'll put the question here that I took out of my first post: Why would you want to do that? If you're trying to be secure, why make it less secure?
Paul's (may I call you Paul?) original advice is still the best: