if <a rel="hub"> is allowed, then people could hijack the page's hub URL via the HTML comments box. " together with fat pings this would mean that I could inject fake news into people's readers when they susbcribe to someone's blog, just by posting a comment with a rel=hub link"

Please also note in the security considerations why implementations MUST NOT support <a rel="hub">