chore: explicitly call out that the stored ARN does not change on VersionKey (#272)

ajewellamz · web-flow · commit 82911ea396c7 · 2024-05-29T16:07:07.000-04:00
diff --git a/framework/branch-key-store.md b/framework/branch-key-store.md
@@ -429,6 +429,10 @@ using the `branch-key-id` as the Partition Key and `"branch:ACTIVE"` value as th
 The `kms-arn` field of DDB response item MUST be [compatible with](#aws-key-arn-compatibility)
 the configured `KMS ARN` in the [AWS KMS Configuration](#aws-kms-configuration) for this keystore.
 
+The `kms-arn` stored in the DDB table MUST NOT change as a result of this operation,
+even if the KeyStore is configured with a `KMS MRKey ARN` that does not exactly match the stored ARN.
+If such were allowed, clients using non-MRK KeyStores might suddenly stop working.
+
 The values on the AWS DDB response item
 MUST be authenticated according to [authenticating a keystore item](#authenticating-a-keystore-item).
 If the item fails to authenticate this operation MUST fail.
