You can do what you're asking about, but you're degrading the amount of confidence a user should have in your site and the content within.
Lots of banks do this sort of thing for their front pages from which you can log into your account. There was a long discussion about it here: »
Chase Bank = no encryption The first post to really discuss the real problem in that thread is by robo_mojo
. A couple of others, including mine, say some of the same things.
The bottom line is that your outer page is not encrypted or signed, therefore the user cannot be sure that the page was not manipulated in route. So without viewing source or looking at it in memory with a tool like Firebug, as well as some other investigating, your user cannot be sure that the iframe is still pointing to where it should, etc. Or maybe a script was injected which manipulates the DOM in memory to play with what
was your iframe.
SSL (HTTPS) has two purposes--encryption and non-repudiation. You're removing the second portion, causing doubt about both purposes.