diff --git a/Changelog.md b/Changelog.md
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,10 @@
+### 0.4.0.0
+
+- Field *ocspRespCerts* of *OCSPResponseVerificationData* now contains a list
+  of *signed certificates* augmented by *DER*-encoded *tbsCertificate* as defined
+  in *rfc5280*. This enables check of the OCSP Signature Authority Delegation.
+  See a basic implementation of the check in the *client-ocsp* example.
+
 ### 0.3.1.0
 
 - Add function *getOCSPResponseVerificationData'* which is similar to
diff --git a/Data/X509/OCSP.hs b/Data/X509/OCSP.hs
--- a/Data/X509/OCSP.hs
+++ b/Data/X509/OCSP.hs
@@ -254,7 +254,9 @@
 -- signature /ocspRespSignature/. Binary data /ocspRespDer/ and algorithm
 -- /ocspRespSignatureAlg/ are what has been used to sign the response. The
 -- verification process may require the public key of the issuer certificate
--- if it's not been attached in /ocspRespCerts/.
+-- if it's not been attached in /ocspRespCerts/. The latter contains a list of
+-- signed certificates augmented by DER-encoded /tbsCertificate/ as defined in
+-- /rfc5280/.
 --
 -- See details of signing and verification of OCSP responses in /rfc6960/.
 --
@@ -276,21 +278,22 @@
 --
 -- Note that the issuer certificate gets passed to /verifySignature\'/ rather
 -- than looked up in /ocspRespCerts/. The OCSP Signature Authority Delegation
--- is not checked in the function.
+-- is not checked in this simple example.
 --
 -- To verify update times, check the values of 'ocspRespCertThisUpdate' and
 -- 'ocspRespCertNextUpdate' which both must have been constructed as
 -- 'TimeGeneralized'.
 data OCSPResponseVerificationData =
-    OCSPResponseVerificationData { ocspRespDer :: ByteString
-                                   -- ^ Response data (DER-encoded)
-                                 , ocspRespSignatureAlg :: SignatureALG
-                                   -- ^ Signature algorithm
-                                 , ocspRespSignature :: ByteString
-                                   -- ^ Signature
-                                 , ocspRespCerts :: [Certificate]
-                                   -- ^ Certificates
-                                 } deriving (Show, Eq)
+    OCSPResponseVerificationData
+        { ocspRespDer :: ByteString
+          -- ^ Response data (DER-encoded)
+        , ocspRespSignatureAlg :: SignatureALG
+          -- ^ Signature algorithm
+        , ocspRespSignature :: ByteString
+          -- ^ Signature
+        , ocspRespCerts :: [(Signed Certificate, ByteString)]
+          -- ^ List of signed certificates
+        } deriving (Show, Eq)
 
 -- | Get verification data from OCSP response.
 --
@@ -316,7 +319,7 @@
     case next of
         Start Sequence : c2 -> do
             let (wrapInSequence -> alg, next') = getConstructedEnd 0 c2
-            (alg', _) <- either (const Nothing) Just $ fromASN1 alg
+            (alg', []) <- fromASN1' alg
             case next' of
                 BitString (BitArray _ sig) : c3
                     | c3 == [End Sequence] ->
@@ -331,10 +334,22 @@
                 _ -> Nothing
         _ -> Nothing
     where collectCerts (Start Sequence : c4) certs
-              | (Start Sequence : cert, c5) <- getConstructedEnd 0 c4 =
-                  case fromASN1 (getCurrentContainerContents cert) of
-                      Right (cert', _) -> collectCerts c5 $ cert' : certs
-                      _ -> Nothing
+              | (Start Sequence : cert, c5) <- getConstructedEnd 0 c4 = do
+                    let (cert', next) = getConstructedEnd 0 cert
+                    case next of
+                        Start Sequence : cc1 -> do
+                            let (wrapInSequence -> alg, next') =
+                                    getConstructedEnd 0 cc1
+                            (alg', []) <- fromASN1' alg
+                            case next' of
+                                [BitString (BitArray _ sig)] -> do
+                                    (cert'', []) <- fromASN1' cert'
+                                    collectCerts c5 $
+                                        ( Signed cert'' alg' sig
+                                        , encodeASN1' DER $ wrapInSequence cert'
+                                        ) : certs
+                                _ -> Nothing
+                        _ -> Nothing
           collectCerts [End Sequence, End (Container Context 0)] certs =
               Just certs
           collectCerts _ _ =
@@ -347,4 +362,7 @@
 
 skipCurrentContainer :: [ASN1] -> [ASN1]
 skipCurrentContainer = snd . getConstructedEnd 0
+
+fromASN1' :: ASN1Object a => [ASN1] -> Maybe (a, [ASN1])
+fromASN1' = either (const Nothing) Just . fromASN1
 
diff --git a/x509-ocsp.cabal b/x509-ocsp.cabal
--- a/x509-ocsp.cabal
+++ b/x509-ocsp.cabal
@@ -1,7 +1,7 @@
 cabal-version:          2.4
 
 name:                   x509-ocsp
-version:                0.3.1.0
+version:                0.4.0.0
 synopsis:               Basic X509 OCSP implementation
 description:            Build X509 OCSP requests and parse responses
 homepage:               https://github.com/lyokha/x509-ocsp
