Secure delivery is the process of transferring certified products to the user. Manipulation during this phase might be undetectable, e.g. implanting Advanced Persistent Threats. Even security domains that Common Criteria approaches rely on may be exploited. The paper assesses the security claims for secure delivery and deferrals to post-delivery phase. Results of assurance components may be subverted if not protected during delivery. Risk management and Common Criteria differ in the responsibility of risk decision making, but a certification may leave residual risks beyond technology. The paper outlines approaches that focus on how users can validate they are using an authentic TOE.