Discuss behavior on failed consistency checks

[tfpauly]

If you check only one mirror, and consistency fails, you can check another mirror, etc. However, the behavior when you end up with inconsistency in general, the client application needs local policy on what to do.

• If the feature that is inconsistent is optional, the client can just not do it. (Privacy pass helps avoid captchas, but if the key is not consistent, just don't use privacy pass, and show the captcha)
• If the feature is required, but there is a fallback option, use that. (Use a different privacy pass provider, use a different OHTTP/ODoH server, one that is consistent).
• If the feature is required, and all options are inconsistent, fail hard and/or throw an alert. (Private relay would declare an outage if all ODoH servers had invalid keys)

[tfpauly]

Add a new section before security considerations