diff --git a/dss-document/src/main/java/eu/europa/esig/dss/validation/SignatureValidationContext.java b/dss-document/src/main/java/eu/europa/esig/dss/validation/SignatureValidationContext.java
index a25f67e..bc8340a 100644
--- a/dss-document/src/main/java/eu/europa/esig/dss/validation/SignatureValidationContext.java
+++ b/dss-document/src/main/java/eu/europa/esig/dss/validation/SignatureValidationContext.java
@@ -128,7 +128,15 @@ public class SignatureValidationContext implements ValidationContext {
 		}
 
 		for (CertificateToken certificateToken : processedCertificates) {
+                    // at this point in time there might be CertificateSourceType.SIGNATURE_KEY_INFO from a signature
+                    // this means this token has been read completely read from signature
+                    // if we need to establish POE based on timestamped data, adding CertificateSourceType.UNKNOWN makes POE difficult to establish
+                    if (certificateToken.getSources().isEmpty()) {
 			validationCertificatePool.getInstance(certificateToken, CertificateSourceType.UNKNOWN);
+                    } else {
+                        // null cannot be used so add an existing CertificateSourceType
+                        validationCertificatePool.getInstance(certificateToken, certificateToken.getSources().iterator().next());
+                    }
 		}
 
 		this.crlSource = certificateVerifier.getCrlSource();
diff --git a/dss-model/src/main/java/eu/europa/esig/dss/x509/CertificateSourceType.java b/dss-model/src/main/java/eu/europa/esig/dss/x509/CertificateSourceType.java
index f63b371..ebf61bd 100644
--- a/dss-model/src/main/java/eu/europa/esig/dss/x509/CertificateSourceType.java
+++ b/dss-model/src/main/java/eu/europa/esig/dss/x509/CertificateSourceType.java
@@ -26,6 +26,6 @@ package eu.europa.esig.dss.x509;
  */
 public enum CertificateSourceType {
 
-	TRUSTED_STORE, TRUSTED_LIST, SIGNATURE, OCSP_RESPONSE, OTHER, AIA, TIMESTAMP, UNKNOWN;
+	TRUSTED_STORE, TRUSTED_LIST, SIGNATURE, SIGNATURE_KEY_INFO, OCSP_RESPONSE, OTHER, AIA, TIMESTAMP, UNKNOWN;
 
 }
diff --git a/dss-xades/src/main/java/eu/europa/esig/dss/xades/validation/XAdESCertificateSource.java b/dss-xades/src/main/java/eu/europa/esig/dss/xades/validation/XAdESCertificateSource.java
index c4505bd..47cd650 100644
--- a/dss-xades/src/main/java/eu/europa/esig/dss/xades/validation/XAdESCertificateSource.java
+++ b/dss-xades/src/main/java/eu/europa/esig/dss/xades/validation/XAdESCertificateSource.java
@@ -33,6 +33,7 @@ import eu.europa.esig.dss.DSSUtils;
 import eu.europa.esig.dss.DomUtils;
 import eu.europa.esig.dss.utils.Utils;
 import eu.europa.esig.dss.x509.CertificatePool;
+import eu.europa.esig.dss.x509.CertificateSourceType;
 import eu.europa.esig.dss.x509.CertificateToken;
 import eu.europa.esig.dss.x509.SignatureCertificateSource;
 import eu.europa.esig.dss.xades.DSSXMLUtils;
@@ -55,6 +56,8 @@ public class XAdESCertificateSource extends SignatureCertificateSource {
 	private List<CertificateToken> encapsulatedCerts;
 
 	private List<CertificateToken> timestampValidationDataCerts;
+        
+        private CertificateSourceType cstOverride;
 
 	/**
 	 * The default constructor for XAdESCertificateSource. All certificates are extracted during instantiation.
@@ -79,12 +82,15 @@ public class XAdESCertificateSource extends SignatureCertificateSource {
 		}
 		this.signatureElement = signatureElement;
 		this.xPathQueryHolder = xPathQueryHolder;
-
+                this.cstOverride = null;
+                
 		if (certificateTokens == null) {
 
 			certificateTokens = new ArrayList<CertificateToken>();
 			encapsulatedCerts = getCertificates(xPathQueryHolder.XPATH_ENCAPSULATED_X509_CERTIFICATE);
+                        cstOverride = CertificateSourceType.SIGNATURE_KEY_INFO;
 			keyInfoCerts = getCertificates(xPathQueryHolder.XPATH_KEY_INFO_X509_CERTIFICATE);
+                        cstOverride = null;
 			timestampValidationDataCerts = getCertificates(xPathQueryHolder.XPATH_TSVD_ENCAPSULATED_X509_CERTIFICATE);
 		}
 
@@ -156,4 +162,14 @@ public class XAdESCertificateSource extends SignatureCertificateSource {
 
 		return timestampValidationDataCerts;
 	}
+        
+	@Override
+	protected CertificateSourceType getCertificateSourceType() {
+            if (cstOverride != null) {
+                return cstOverride;
+            }
+            
+            return super.getCertificateSourceType();
+	}
+        
 }
diff --git a/validation-policy/src/main/java/eu/europa/esig/dss/validation/process/vpfswatsp/POEExtraction.java b/validation-policy/src/main/java/eu/europa/esig/dss/validation/process/vpfswatsp/POEExtraction.java
index 419e94a..0e932c8 100644
--- a/validation-policy/src/main/java/eu/europa/esig/dss/validation/process/vpfswatsp/POEExtraction.java
+++ b/validation-policy/src/main/java/eu/europa/esig/dss/validation/process/vpfswatsp/POEExtraction.java
@@ -1,5 +1,6 @@
 package eu.europa.esig.dss.validation.process.vpfswatsp;
 
+import eu.europa.esig.dss.jaxb.diagnostic.XmlChainItem;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.HashMap;
@@ -16,6 +17,7 @@ import eu.europa.esig.dss.validation.reports.wrapper.DiagnosticData;
 import eu.europa.esig.dss.validation.reports.wrapper.RevocationWrapper;
 import eu.europa.esig.dss.validation.reports.wrapper.SignatureWrapper;
 import eu.europa.esig.dss.validation.reports.wrapper.TimestampWrapper;
+import eu.europa.esig.dss.x509.CertificateSourceType;
 import eu.europa.esig.dss.x509.RevocationOrigin;
 
 /**
@@ -75,6 +77,7 @@ public class POEExtraction {
 				if (Utils.isStringNotEmpty(xmlTimestampedObject.getId())) {
 					// SIGNATURES and TIMESTAMPS
 					addPOE(xmlTimestampedObject.getId(), productionTime);
+                                        extractCertPOE(xmlTimestampedObject, diagnosticData, productionTime);
 				} else if (TimestampedObjectType.CERTIFICATE == xmlTimestampedObject.getCategory()) {
 					String certificateId = getCertificateIdByDigest(xmlTimestampedObject.getDigestAlgoAndValue(), diagnosticData);
 					if (certificateId != null) {
@@ -91,6 +94,57 @@ public class POEExtraction {
 		}
 	}
 
+        /**
+         * If a signature is timestamped and certificate is not in signed attributes then we can assess certificate POE from timestamp, if the certificate is 
+         * provided as KeyInfo/X509Data/X509Certificate, see XAdESCertificateSource.getCertificates.
+         * CRL data can be assessed CRL production date
+         * 
+         * @param xmlTimestampedObject
+         * @param diagnosticData
+         * @param productionTime 
+         */
+        private void extractCertPOE(XmlTimestampedObject xmlTimestampedObject, DiagnosticData diagnosticData, Date productionTime) {
+            if (TimestampedObjectType.SIGNATURE == xmlTimestampedObject.getCategory()) {
+                List<XmlChainItem> certChain = diagnosticData.getSignatureById(xmlTimestampedObject.getId()).getCertificateChain();
+                if (certChain != null && certChain.size() > 0) {
+                    XmlChainItem signatureCertificate = certChain.get(0);
+                    String certId = signatureCertificate.getId();
+                    
+                    if (!isPOEExists(certId, productionTime) && CertificateSourceType.SIGNATURE_KEY_INFO.name().equals(signatureCertificate.getSource())) {
+                        System.err.println("Adding: " + certId + " at: " + productionTime + ", src: " + signatureCertificate.getSource() + ", chain instance: " + signatureCertificate + ", thread: " + Thread.currentThread());
+                        Thread.dumpStack();
+                        addPOE(certId, productionTime);                        
+                        addRevocationPOE(certId, diagnosticData, productionTime);
+                    }
+                }
+            }
+        }
+    
+        /**
+         * Revocation info does not need to be protected by timestamp, but it still can be valid. On the other hand, in such a case we will add only CRL POE
+         * if it was generated after signature but before signature's certificate Not After, only then it is useful.
+         * 
+         * POE is 
+         * @param certId
+         * @param diagnosticData
+         * @param productionTime 
+         */
+        private void addRevocationPOE(String certId, DiagnosticData diagnosticData, Date productionTime) {
+            CertificateWrapper cw = diagnosticData.getUsedCertificateById(certId);
+            if (cw != null && cw.getRevocationData() != null) {
+                for (RevocationWrapper rw : cw.getRevocationData()) {
+                    String revocationMasterCertId = rw.getSigningCertificateId();
+                    CertificateWrapper revocationMasterCert = diagnosticData.getUsedCertificateById(revocationMasterCertId);
+                    if (revocationMasterCert != null && revocationMasterCert.isTrusted() && revocationMasterCert.isValidCertificate() &&
+                            productionTime.before(rw.getProductionDate()) && rw.getProductionDate().before(cw.getNotAfter())) {
+                        System.err.println("Adding revocation: " + rw.getId() + ", at: " + rw.getProductionDate());
+                        addPOE(rw.getId(), rw.getProductionDate());
+                    }
+                }
+            }
+
+        }
+
 	private String getCertificateIdByDigest(XmlDigestAlgoAndValue digestAlgoValue, DiagnosticData diagnosticData) {
 		List<CertificateWrapper> certificates = diagnosticData.getUsedCertificates();
 		if (Utils.isCollectionNotEmpty(certificates)) {