Oniongroove threat model

Write initial version of Oniongroove threat model, including:

• Consider the scenario where someone run more than a single Onionbalance "frontend" with the same address but with different backends and uploading descriptors at different times. Would this:
  • Impact the Tor network negativelly?
  • Improve load balancing?
  • Be an acceptable frontend failover?
• Loop Mike Perry in the ticket, for review/feedback/awareness.