Comment 2 for bug 1174499

That was my take as well, just being cautious. Considering that the Hash is generated by an operation completely controlled by Keystone, I don't think it is possible to intentionally create a collision on the server. In auth_token middleware, the Hash is based on a PKI verified token, so, again, a random document will never be hashed. Thus, this is a hardening issue.