diff --git a/doc/todo/option_to_add_user-specified_string_to_key/comment_4_f7a57038a1ccce664d30b545444fc145._comment b/doc/todo/option_to_add_user-specified_string_to_key/comment_4_f7a57038a1ccce664d30b545444fc145._comment
new file mode 100644
index 0000000000..7e6c2eed19
--- /dev/null
+++ b/doc/todo/option_to_add_user-specified_string_to_key/comment_4_f7a57038a1ccce664d30b545444fc145._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="Ilya_Shlyakhter"
+ avatar="http://cdn.libravatar.org/avatar/1647044369aa7747829c38b9dcc84df0"
+ subject="comment 4"
+ date="2019-01-11T22:23:06Z"
+ content="""
+\"annex.securehashesonly would need to prohibit use of the resulting keys\" -- that's fine, I only use URL/WORM/MD5 keys already, and so does DataLad by default.  Btw, if letting keys contain user-provided content is insecure, then all keys that contain file extensions should also be deemed insecure?
+"""]]