FPT_TUD_EXT.1 as currently written has a test Assurance Activity that instructs the evaluator to verify that the TOE rejects an illegitimate update. This does not allow for the case where the administrator follows the instructions in the operational guidance and rejects an illegitimate update.

The Test 2 Assurance Activity should be rewritten as follows:

• Test 2: The evaluator performs the version verification activity to determine the current version of the product. The evaluator obtains or produces an illegitimate update, and attempts to install it on the TOE. The evaluator verifies that the TOE either rejects the update without intervention or detects that the update is illegitimate and allows the administrator to reject the update (as specified in the operational guidance).

The intent of this requirement is that either the TOE rejects the corrupt update without any administrator intervention or the TOE detects a corrupt update and the administrator is instructed by the operational guidance to reject the update. The modification adds the option for administrator intervention.