Check v6 direct-key self signature

[TJ-91]

Check to implement:

An implementation MUST ensure that a valid direct-key signature is present before using a v6 key. This prevents certain attacks where an adversary strips a self-signature specifying a key expiration time or certain preferences.

Is my understanding correct that self signatures are always done by the primary key, i.e., an encryption subkey directkey self-signature is issued by the primary key?
What about signature subkeys with key usage flag 0x01?

[falko-strenzke]

Check to implement:

An implementation MUST ensure that a valid direct-key signature is present before using a v6 key. This prevents certain attacks where an adversary strips a self-signature specifying a key expiration time or certain preferences.

Is my understanding correct that self signatures are always done by the primary key, i.e., an encryption subkey directkey self-signature is issued by the primary key? What about signature subkeys with key usage flag 0x01?

From what I read under 5.2.3.7, it seems that direct-key self signatures are only described / considered for the case of a primary key making the signature. The only case of certification signatures made by a subkey I am aware of is the primary key binding signature, which is not in the list of signature types in the beginning of that section, nor is it mentioned anywhere in that section.

I am not sure if signature subkeys with certification capability are meant to exist (though probably not explicitly excluded by the standard). If at all, then probably only to certify other keys, but not the own primary key.

[falko-strenzke]

Unclear whether RNP v6 code checks the presence of the direct-key self signature.