Backward compatibility: the key store

Promise that we will keep supporting existing key store formats, at least
until a major version comes along.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

BRANCHES.md

@@ -16,7 +16,7 @@ API compatibility in the `master` branch between major version changes. We
 also maintain ABI compatibility within LTS branches; see the next section for
 details.
 
-## Backwards Compatibility
+## Backwards Compatibility for application code
 
 We maintain API compatibility in released versions of Mbed TLS. If you have
 code that's working and secure with Mbed TLS x.y.z and does not rely on
@@ -50,6 +50,19 @@ increase code size for a security fix.)
 For contributors, see the [Backwards Compatibility section of
 CONTRIBUTING](CONTRIBUTING.md#backwards-compatibility).
 
+## Backward compatibility for the key store
+
+We maintain backward compatibility with previous versions of versions of the
+PSA Crypto persistent storage since Mbed TLS 2.25.0, provided that the
+storage backend (PSA ITS implementation) is configured in a compatible way.
+We intend to maintain this backward compatibilty throughout a major version
+of Mbed TLS (for example, all Mbed TLS 3.y versions will be able to read
+keys written under any Mbed TLS 3.x with x < y).
+
+Mbed TLS 3.x can also read keys written by Mbed TLS 2.25.0 through 2.28.x
+LTS, but future major version upgrades (for example from 2.28.x/3.x to 4.y)
+may require the use of an upgrade tool.
+
 ## Current Branches
 
 The following branches are currently maintained: