When the OCSP response used to check the validity of a eIDAS QES signature certificate is signed using a different root certificate than used for signing the user certificate, the signature validity is shown as UNKNOWN, although this procedure is in conformity with the European Union eIDAS regulation. Currently, this problem occurs with signature cards of the German Health Network trust center. More information (in German) can be found at https://www.intarsys.de/faq/Hinweise-validierung-reader.