The Relying Party does not need to verify the signatures, but doind so is possible. For that, the following is needed:
- The signature returned from the service. A specification of the content is delivered to you on request.
- The certificate of the user and intermediate CA:s. These are included in the signature.
- The ocspResponse returned from the service.
- The self-signed root certificate. This is delivered to you on request.