Changing addresses can be dealt with just as it is today:
Let logged in users add additional email addresses to their accounts.
Other people getting your old email address is a bit worse. The easy solution is for providers to not reuse names. You could extend the protocol with a version token, so a provider could say that new bob is different from old bob, and shouldn't be able to log in to old bob's account.
Changing addresses can be dealt with just as it is today: Let logged in users add additional email addresses to their accounts.
Other people getting your old email address is a bit worse. The easy solution is for providers to not reuse names. You could extend the protocol with a version token, so a provider could say that new bob is different from old bob, and shouldn't be able to log in to old bob's account.