One of the TSS activities for FCS_CKM_EXT.4  is dependent on a selection, which is incomplete.

The final TSS evaluation activity for FCS_CKM_EXT.4 in OS PP V4.3 is updated as follows, with underlines denoting additions:

If the selection "destruction of all key encrypting keys (KEKs) protecting the target key according to FCS_CKM_EXT.4.1, where none of the KEKs protecting the target key are derived" is included the evaluator will examine the TOE’s keychain in the TSS and identify each instance when a key is destroyed by this method. In each instance the evaluator will verify all keys capable of decrypting the target key are destroyed in accordance with a specified key destruction method in FCS_CKM_EXT.4.1. The evaluator will verify that all of the keys capable of decrypting the target key are not able to be derived to reestablish the keychain after their destruction.

See issue description.