> I think Peter’s point is that moving to JWT for the voucher signature
> but depending on PKCS#7 in the /cacerts exchange results in client’s
> being required to handle both formats.
This is one of my issues, when thinking about the NETCONF zerotouch
bootstrapping draft, as all the other
About a), I don't think putting all the CA certs in the voucher is a good idea.
EST should be used instead. I don’t think it is right for someone to expect the
voucher to distribute its roots of trust. What if a CA cert gets revoked of
expires? EST has the transitional certs that allow for root
