Sounds like I misinterpreted what you were asking. Yes, those are some tricky problems. It looks like our best choice for a longer-term answer is Persona, but it'll be a while before it's as slick as it should be. :-(
Unless Persona drastically changed in the last couple months, it seems to fundamentally misunderstand the problem of user authentication by assuming email addresses are both canonical and authoritative.
Most people keep an email address for years and that's a lot more than own their own domain.
I simply don't know what would work better than an email address as a virtual identifier - if u have a suggestion please (seriously I want to know) say
edit: wow am I in a bad mood. sorry! I would still like to know if there is a better answer than email addresses - but more politely. Cheers
When people decide to change their email address, they don't want to lose their accounts, and when someone else gets their old email address, they shouldn't have their accounts compromised. Seriously: even just "username" is better than email address. All of the advantages of using an email address as the primary key for an account are either not true or actively dangerous once you realize how little they mean to the vast vast majority of "normal people".
Facebook is a reasonable example: they allow you to use email addresses to log in, but your account is not tied to your email address. Ever since nearly forever, they have let you add new email addresses to your account, and you can remove old ones. They also seem to have some schemes in place for mitigating "I lost access to my University email address, and someone else got it" (which one would imagine to be nigh unto endemic for their use case).
Changing addresses can be dealt with just as it is today:
Let logged in users add additional email addresses to their accounts.
Other people getting your old email address is a bit worse. The easy solution is for providers to not reuse names. You could extend the protocol with a version token, so a provider could say that new bob is different from old bob, and shouldn't be able to log in to old bob's account.
Face books use case is a pathological case from universities back when a 10MB hard disk cost more than a professor. Universities do reuse email addresses but that's policy not need - and even universities can change policy.
Username is horrific as a global identifier - I hate easily.co.uk every time my browser cache gets cleared.
Adding new addresses to an account works and really ISPs ought never reuse emails. A new RFC perhaps?
