Matt Cutts just weighed in on this:
He says a bunch of specifics about when rel canonical will not be honored:
1) In the <body>, only honored in the <head> (answers my question from my earlier response, YAY!)
2) If Google suspects the site is hacked
3) If the <head> section is not closed
4) If it points to a 404 page.