Well reading this policy part for what might be the first time lol, 22 and 23 can basically condensed to:
1) "technically establish your trust policy"
2) verify the attestation used is within that trust policy
and I'd personally throw a green note box for some common sense policy points in there that if:
1) if no attestation is allowed, self attestation should equally allowed, if the RP is incapable of actually handling the attestation just check if it looks like one ("packed" and no "x5c") and treat just the same as none, maybe.
2) if self-attestation is allowed or by extension of 1, no attestation, you should not enforce attestation certificates chaining to a "trusted root" (as a non-"trusted" authenticator can just be stripped of its attestation)
3) equally if trust certificates are not enforced, it would make sense to also allow no and self attestation, as people could just add their own custom attestation to the response if they really want.
One thing I am currently not sure of is what self attestation really is for, I mean what does it really change from sending over no attestation?
Regards
My1