Shared signature to publish events

I'm using shared signatures to Post events with HTTP to the event hub.

For instance I post to

https://commandhub.servicebus.windows.net/rmmdevices/publishers/cdf35a34-f2c8-4562-a3ab-b18d5e6100e3/messages?timeout=60&api-version=2014-05

using

Authorization: SharedAccessSignature sr=sb%3a%2f%2fcommandhub.servicebus.windows.net%2frmmdevices%2fpublishers%2fcdf35a34-f2c8-4562-a3ab-b18d5e6100e3&sig=ZI9S0Fn7XCboEF55jqbhH3bVq%2bKX2pBGzyvOHeC8flI%3d&se=1432203732&skn=***hidden***

Now I found out that changing the Publisher will make the signature invalid (that's great) so the following will not work with the SAME signature

https://commandhub.servicebus.windows.net/rmmdevices/publishers/change-cdf35a34-f2c8-4562-a3ab-b18d5e6100e3/messages?timeout=60&api-version=2014-05

But

https://commandhub.servicebus.windows.net/rmmdevices/publishers/cdf35a34-f2c8-4562-a3ab-b18d5e6100e3-change/messages?timeout=60&api-version=2014-05

workes and this is not so good as it takes away the possibility to block publishers from publishing. (They can just add some data to there name and reuse the still valid signature.)

Is this a BUG or a FEATURE?

Documentation states at (https://msdn.microsoft.com/en-us/library/azure/dn170477.aspx):

A SAS token is valid for all resources under the <resourceURI> used in the string-to-sign.

sb://commandhub.servicebus.windows.net/rmmdevices/publishers/cdf35a34-f2c8-4562-a3ab-b18d5e6100e3

is a substring but not a parent ressource of

sb://commandhub.servicebus.windows.net/rmmdevices/publishers/cdf35a34-f2c8-4562-a3ab-b18d5e6100e3-change

Dan Danneberg