Clarify which key creation time is used to calculate the key expiration time

This change is not related to crypto-refresh, but is an important clarification that should be without side-effects, and so IMO should be considered for -bis.

The ambiguity was identified through analysis of the Hockeypuck implementation (see https://github.com/hockeypuck/hockeypuck/issues/140). Key expiration times are stored as the number of seconds since the key creation time, but it is not explicitly stated whether the primary key or subkey creation time should be used as the origin for subkey binding signatures. Hockeypuck always measures expiry relative to the primary key creation time, whereas (most?) other implementations use the subkey creation time in sbinds.

This change explicitly states the common interpretation where subkey expiration times are calculated relative to the subkey's own creation time.