I agree that all of the messages should be signed by the message sender's private key to ensure that the message isn't modified between the consumer and the merchant. E.g. the request from the merchant is signed by one of the addresses in the output section, the payment from the consumer is signed with one of the addresses used in the payment transaction, and the paymentACK from the merchant is signed with the same key as the first message.
Regarding the http/https, I think that was a good choice since that is an existing protocol which provides some privacy and direct connection between two computers instead of flooding the network like transactions do. Although the choice of X.509 certificates for signing is questionable, I can also understand that because those have names associated with them.
Perhaps you (or maybe I, if I have enough time) can write some code to add such things to the payment protocol and submit at PR.
Why would we need HTTPS if bitcoin already has the concept of public and private keys in itself? Instead of a HTTPS certificate you would use the other party's public key and you would get it directly from the block chain, so its integrity is automatically guaranteed. What is more, currently the merchant has to have a static IP address. It's a remnant from the old and centralized way of internetting. We don't need this client<-->server concept any more. The nodes should be able to talk to each other directly, from behind ISP firewalls with their ports closed and what not.