diff --git a/README.md b/README.md
index b97d3dd..fe322dd 100644
--- a/README.md
+++ b/README.md
@@ -85,13 +85,20 @@ The `issuer_hash` for both files corresponds to the ESSCertID or ESSCertIDv2 has
 
 # How to validate timestamps:
 
-Ultimately the responsibility of validating the timestamps lies with the party who wishes to proof/disprove that they are valid.  
-This repository does come however with an implementation to do so. To use it, simply run `.git/hooks/validate.sh`
+Ultimately the responsibility (and criteria) for validating the timestamps lies with the party who wishes to proof/disprove that they are valid and the policy being used.  
+This repository does come however with an [implementation](hooks/validate.sh) that validates the created timestamps according to the criteria listed below. To use it, simply run `.git/hooks/validate.sh`
 
 `validate.sh` will iterate over the entire commit history of the current branch and for each *timestamp commit* will:
 - Check that the digest contained in the token matches the commit hash of the timestamped commit
 - Checks that the TSA certificate was valid at the time of timestamping, by using historic CRL data
 - Checks whether the TSA certificate or any intermediate certificate in the chain has been revoked and if so, whether the revocationCode matches the acceptable revocation reasons discussed in chapter 4 of the RFC3161 specification (https://tools.ietf.org/html/rfc3161)
+- A commit containing multiple timestamps will be considered valid if there is at least one valid timestamp token (a warning will be printed if there are additional timestamps that are considered invalid)
+
+To perform these checks, the same trusted rootCAs from the `.git/hooks/trustanchors` folder are used.
+No other checks are performed. In particular, a timestamp-token is considered valid beyond the expiration date of its signing certificate if it hasn't been revoked due to a reason other than those specified in chapter 4.1 of the RFC3161 specification.  
+The curent implementation of the validate.sh script also does not consider whether the hashing algorithms used in the timestamp-token or the keylength of the signing certificate are still considered secure.
+
+The script exits with exit code 0 if all tests passed, and with exit code 1 otherwise.
 
 # Author
 
diff --git a/hooks/timestamping b/hooks/timestamping
index 63faf2b..ffe37e8 100644
--- a/hooks/timestamping
+++ b/hooks/timestamping
@@ -51,6 +51,7 @@ exit_trap() {
 trap "exit_trap" EXIT
 
 OUT_STREAM=/dev/null
+#uncomment for verbose output
 #OUT_STREAM=/dev/stdout
 
 #echo red text
@@ -186,22 +187,32 @@ request_token() {
   local REQ_FILE="$TMP_DIR"/token_req.tsq
   if [ "$REQUEST_CERTS" = true ]; then
     if ! openssl ts -query -cert -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then
-      echo "Failed to create token query"
+      echo "Error: Failed to create token query"
       return 1
     fi
   else
     if ! openssl ts -query -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then
-      echo "Failed to create token query"
+      echo "Error: Failed to create token query"
       return 1
     fi
   fi
   local RESPONSE_FILE="$TMP_DIR"/response.tsr
   if ! curl "$TSA_URL" -H "$CONTENT_TYPE" -H "$ACCEPT_TYPE" --data-binary @"$REQ_FILE" --output "$RESPONSE_FILE" &> "$OUT_STREAM"; then
-    echo "Failed to get response from $TSA_URL"
+    echo "Error: Failed to get response from $TSA_URL"
+    return 1
+  fi
+  local RESPONSE_STATUS=$(openssl ts -reply -in "$RESPONSE_FILE" -text 2> "$OUT_STREAM" | awk '/Status: /{print; exit}' | sed 's/Status: //' | sed 's/\.//')
+  if [ "$RESPONSE_STATUS" != "Granted" ]; then
+    echo "Error: Token request was not granted."
+    local STATUS_INFO=$(openssl ts -reply -in "$RESPONSE_FILE" -text 2> "$OUT_STREAM" | awk '/Status info:/{f=1} f {print} /Failure info: /{exit}')
+    echo "$STATUS_INFO"
+    echo "Note: If rejection reason is unrecognized or unsupported algorithm, then this tsa cannot be used for this repository, since it uses --object-format=$ALGO"
+    echo "The token request was:"
+    openssl ts -query -in "$REQ_FILE" -text 2> "$OUT_STREAM"
     return 1
   fi
   if ! openssl ts -reply -in "$RESPONSE_FILE" -token_out -out "$OUTPUT_FILE" &> "$OUT_STREAM"; then
-    echo "Not a valid TSA response in file $RESPONSE_FILE"
+    echo "Error: Not a valid TSA response in file $RESPONSE_FILE"
     return 1
   fi
   return 0
diff --git a/hooks/trust.sh b/hooks/trust.sh
index 2707d31..e8a7e94 100644
--- a/hooks/trust.sh
+++ b/hooks/trust.sh
@@ -59,7 +59,10 @@ fi
 DUMMY_DIGEST=$(echo "0" | git hash-object --stdin)
 DUMMY_TOKEN="$TMP_DIR"/token.tst
 
-request_token "$TSA_URL" "$DUMMY_DIGEST" false "$DUMMY_TOKEN"
+if ! request_token "$TSA_URL" "$DUMMY_DIGEST" false "$DUMMY_TOKEN"; then
+  echo_error "Token request failed, thus the TSA $TSA_URL cannot be added to trusted TSAs."
+  exit 1
+fi
 
 CERTIFICATES="$TMP_DIR"/certificates.pem
 build_certificate_chain_for_token "$DUMMY_TOKEN" "$DUMMY_DIGEST" "$TSA_URL" "$CERTIFICATES"