Hi, apologies for the use of English in a non-English forum, but I had some dialogue with Jan Gondol about this, and he encouraged me to share my views here. Below is a slightly adapted version of an email I sent him about it.
For context, I work for the US government’s General Services Administration, and I help oversee the implementation of an HTTPS-only mandate for publicly accessible US government web services (details at https://https.cio.gov).
I strongly encourage you to move away from http:// for the use of URIs, even though they are not intended to be used as URLs.
While I understand that URIs are not URLs, the use of http:// for XML namespaces and DTD definitions, and the severe friction that has resulted in migrating open data services to use secure connections, has polarized me a bit on the subject.
For some context, see this discussion about proposing an exception to the US government’s HTTPS-only mandate for XML/DTD URIs:
I have read arguments by the linked data community – in particular Tim Berners-Lee – that mixing semantics around transport with URI namespacing is a mistake. I agree with that, but unfortunately this mixing is already present even when using http://. People seemed to choose http:// for URIs as a convenience rather than inventing something new, and I think that’s proving to be a mistake.
I have also seen arguments from the open data community – again most prominently by Tim Berners-Lee – that web browsers should drop mixed content protections to allow open data sources only available over http:// to be pulled into https:// websites. This is essentially saying that open data doesn’t need transport integrity or confidentiality at the protocol level, and seems to be partially motivated by the idea that pressure to change http:// URIs to https:// is too much work.
While you can argue for namespace purity without also arguing against the need for transport integrity, the fact that they’ve been both been argued together has entangled the issues more than they should be.
These entangled arguments, along with the pain I’ve observed around XML/DTD URIs, has led me to feel pretty strongly that if you’re going to use a URI that references a transport protocol – even if it’s not intended for dereferencing through a network connection – that URI should reference the secure version and not the deprecated version.
If URIs are meant to be fully independent, they should choose a scheme identifer other than http:// or https://. If they’re going to choose a scheme identifier that includes http, then it should be https://.
