SelfRemove still does not allow atomic removal of all a user's clients

[rohan-wire]

If Alice has multiple MLS clients and wants to leave a group, even with SelfRemove as worded, she still can't remove all her clients in one-shot. Maybe we should modify the semantics of SelfRemove so the ExternalSender is allowed to include other leaf nodes with the same "user" credential?

[raphaelrobert]

I don't think we should make it that complicated. Alice can still issue a Commit removing all her other clients, create the additional SelfRemove proposal based on the new epoch, and send both to the DS in one shot. The only cost is that Alice needs to produce two signatures which I think is tolerable.

[rohan-wire]

I don't object to having two signatures, my concern is that the way the extension is defined now, an External Commit would include the SelfRemove, but not the other Remove proposals. I suppose we could change the handling of Remove proposals in the presence of SelfRemove, but SelfRemove could not operate as a safe extension in that case.