• SHOULD use capability URLs with a large enough entropy to not be guessable
• SHOULD generate a new unique URL the subscriber renews the subscription
• the hub MUST enforce lease expirations, and more than 3 months is a warning in the test tool

I like (1). I'm neutral on (3). I have a problem with (2): aren't subscriptions identified by (topic URL, callback URL) pairs? So then a "renewal" would really be creating a new subscription.

Generally, I wonder if the spec would be improved by removing hub.secret entirely and relying on capability-style URLs only. (Implementations could offer hub.secret as an extension, but it wouldn't be part of the standard spec.) Especially nice is that letsencrypt exists, and that we don't have the "Referer" problem to deal with here.

We decided that the concept of Defense in Depth means it still makes sense to support the signature with the hub.secret. The notification payload is more important for a subscriber to ensure hasn't been tampered with by a MITM attack (such as an intentional MITM in an enterprise network).