Adding root key update information.

andrewbrownmsft · andrewbrownmsft · commit 3c0ab7f77298 · 2024-01-02T12:12:17.000-08:00
diff --git a/articles/iot-hub-device-update/device-update-security.md b/articles/iot-hub-device-update/device-update-security.md
@@ -65,6 +65,13 @@ Every Device Update device must contain a set of root keys. These keys are the r
 
 The set of root keys will change over time as it is proper to periodically rotate signing keys for security purposes. As a result, the Device Update agent software will need to be updated with the latest set of root keys at intervals specified by the Device Update team.
 
+Starting with version 1.1.0 of the Device Update agent, the agent will automatically check for any changes to root keys each time a deployment of an update to that device occurs. Possible changes:
+
+* A new root key is available.
+* An existing root key is disabled (effectively "revoked"), meaning it is no longer valid for establishing trust.
+
+If either or both of the above are true, the Device Update agent will automatically download from the DU service a new _root key package_. This package contains the complete set of all root keys, as well as a _disabled list_ containing information about which root keys and/or signing keys are no longer valid. The root key package is itself signed with each root key, so that trust for the package can be established both from the original root keys that are part of the DU agent itself, as well as any subsequently-downloaded root keys. Once the validation process is complete, any new root keys are considered to be trusted for the purpose of validating trust with the signing key for a given update manifest, while any root keys or signing keys listed in the disabled list are no longer trusted for that purpose.
+
 ### Signatures
 
 All signatures are accompanied by a signing (public) key signed by one of the root keys. The signature identifies which root key was used to sign the signing key.
