diff --git a/book/source/08-signing_components.md b/book/source/08-signing_components.md
index adc1f4f..b370273 100644
--- a/book/source/08-signing_components.md
+++ b/book/source/08-signing_components.md
@@ -49,9 +49,11 @@ Third-party signatures are used to make specific statements:
 - revoking, and thus invalidating, prior third-party signature statements
 
 ```{note}
-The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. Typically, only the certificate's primary can hold this key flag.
+The **certify others** [key flag](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-key-flags) (`0x01`) is required to issue third-party signatures. By convention[^primary-certification], only the certificate's primary can hold this key flag.
 ```
 
+[^primary-certification]: Implementations currently assume that only the primary key may hold the "certify others" key flag. However, the RFC doesn't clearly specify this limitation.
+
 ### Distinct functions of self-signatures and third-party signatures
 
 The meaning of an OpenPGP signature depends significantly on its issuer. Self-signatures and third-party signatures, even when of the same [signature type](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-signature-types), serve distinct functions. For example: