This adds an integrity (checksum) attribute to a resource and I think that is fine. It can also be used via https or http but they indicate http is not safe (3.3.2).

The problem is that the data is going to be encrypted per user https session and this adds a load to the server (say if you are streaming a movie or downloading a large file). With https the data has to be encrypted per user so there really is no caching on the output. Sure, the original data file can be in a cache, but what goes out (payload sans header) is the encrypted-per-user byte set. Unlike http where the payload across all users is the same.