spec: clarify distinction between primary key and certificate as whole
The spec contains some text that seems to conflate the idea of the certificate as a whole with the primary key.
This is not an unreasonable conflation in many cases: a given primary key is often used as a proxy for the certificate itself.
But a given certificate is a collection of objects that can change over time, and a cryptographic connection between something and a certificate might imply that when the collection changes the connection breaks.
For example, a binding is really a connection between a user ID and a public key, not between a user ID and the certificate as a whole. The rest of the data in the certificate is connected to the user ID through its connection to the primary key.
This is a nit-picky point, but this is a nit-picky document and precision does matter when trying to clear up the complicated mess this is tackling here.