Posted last note too soon; you can indeed issue the challenge without an
https scheme, but once the user attempts login:

Traceback (most recent call last):
  File "/usr/local/lib/python2.4/site-packages/qp/pub/publish.py", line 158, in
process_hit
    self.fill_response()
  File "/usr/local/lib/python2.4/site-packages/qp/pub/publish.py", line 202, in
fill_response
    assert get_request().get_scheme() == 'https', (
AssertionError: Session cookies are only allowed with https.


I can certainly see why this might be so, although some applications / use
cases may find this level of assurance burdensome. Thoughts?