The draft reads well and is clear. I have one question that is maybe worth answering in the security considerations. What is the impact of retrieving the trust anchors over http instead of https? Does that lead to a risk of ending up with an invalid set of trust anchors? Klaas