Comment 27 for bug 1490804

A few issues that came up in discussion earlier tonight:

* What happens if someone respins a token from PKI to PKIZ or vice-versa?
* PKI the delimiter (---- START CMS ---- and corresponding end ones) could be pre/post substituted in PKI (not PKIZ) and change the resulting ID but still pass due to the token_to_cms (or cms_to_token) code doing a blind substitution between '/' and '-'.

One of the other options could be to provide an options for KeystoneMiddleware to disable offline validations (default to off) and have it hash the tokens the same way django_openstack_auth would (which is not affected by this issue).

I'm looking over the code in the Reject-modified-PKI-Tokens.patch and it is a partial solution, but I have not spent enough time poking at the code to be sure what other gaps are there in PKI(Z) validation.