CDD: Add req for the trust agent escrow token system API

Add requirements to account for the new methods in
TrustAgentService that allow unlocking a device based on escrow
tokens.

Bug: 36237319
Test: Documentation update.
Change-Id: I38cec1d94bbcbcbf97782308dc800abf650d6532

diff --git a/9_security-model/9_11_keys-and-credentials.md b/9_security-model/9_11_keys-and-credentials.md
index a24d12f..2003000 100644
--- a/9_security-model/9_11_keys-and-credentials.md
+++ b/9_security-model/9_11_keys-and-credentials.md

@@ -56,8 +56,16 @@
     the lock screen.
 *   MUST respect and fully implement all trust agent APIs in the
     `DevicePolicyManager` class, such as the [`KEYGUARD_DISABLE_TRUST_AGENTS`
-    ](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#KEYGUARD_DISABLE_TRUST_AGENTS)
+    ](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#KEYGUARD&lowbarDISABLE&lowbarTRUST&lowbarAGENTS)
     constant.
+*   MUST NOT fully implement the `TrustAgentService.addEscrowToken()` function
+    on a device that is used as the primary personal device (e.g. handheld) but
+    MAY fully implement the function on device implementations typically shared.
+*   MUST encrypt the tokens added by `TrustAgentService.addEscrowToken()` before
+    storing them on the device, and MUST NOT store the encryption key on the
+    device.
+*   MUST inform the user about the security implications before enabling the
+    escrow token to decrypt the data storage.
 
 Device implementations MAY add or modify the authentication methods to unlock
 the lock screen.