Re: the temporary CA that transnexus setup, what prevents self signing? Looking at that slide it seemed the p-assert specifies the CA to check. Is there a root CA which signs issuers certs similar to standard SSL/TLS?

Yes. We have created a temporary CA to provide this root certifcate.