During remote attestation process using NRAS, the token received as result is decoded and the signature is validated using the certificate that comes from the JWKS endpoint to the 'kid' for the token. Is there a reason why the verification stop there? Why not verify the certificate chain in its entirety in case of some attack? Are the remaining certificates up the chain available somewhere if I'd want to check them manually?