Comment 4 for bug 1243336

This has been previously discussed, and 404 is the preferred status code for an invalid subject token, which must be distinguished from an invalid X-Auth-Token. An invalid/revoked/expired X-Subject-Token CANNOT be "considered similar to providing incorrect username or password" -- the requestor is authenticated by the X-Auth-Token, not by the X-Subject-Token. I don't think there's any room to change status codes here.