(Damn, I had wanted to post this yesterday, but then I forgot to quite finish it and it ended up sitting in a tab, unsent.)
Yes, it does: it means that you cannot count on it as a canonical form of identity for any long period of time, as people expect to be able to change it; in fact, many people go through "the great purge" every couple years, deleting their e-mail address and selecting a new one, in order to purposely reboot the people who have their address: to them, it is a way to purposely restart their identity.
You thereby have to think of e-mail addresses as more akin to your home address. If you ask me to log in with my home address, yes, that works: it doesn't work for everyone, as not everyone in the world has a home address, but the same thing can be said for e-mail addresses. Sometimes people will share a home address, but surprise surprise: sometimes people share e-mail addresses as well.
When I am asked to log in to that form with my home address, and it works, you now might claim I've accepted it as part of my identity. Well, I haven't: I'm going to change my home address at some point, and someone else is then going to start living here, which is exactly what happens to many people who use ISP or University -provided e-mail. Hell, it also happens to people with vanity e-mail addresses if they let their domain registration expire (as happened to one of my friends, who otherwise was using the same e-mail address for a very very long period of time).
Yes: it works temporarily, but it isn't my identity, and eventually it will fail, and unless you are really really weird (like, you are the kind of technology person who would probably consider it digital suicide to allow their domain name to expire, and has had the same e-mail address now for well over a decade), it will fail sooner than later, and may even fail on purpose when users invalidate it.
How are usernames any different? You're saying identity is transient. This is true of every sort of identity except perhaps your soul. Regardless email addresses are more stable and unique than usernames. In fact they are just a username plus a domain that happens to have the ability to be routed messages in a standard way.
Of course you should be able to change the email on an account. Usernames can also be changed and are far from canonical. Your point about emails is not invalid, it's just not addressed by usernames, and usernames are actually inferior in that respect.
So, I did not use the word "username" in that comment you are replying to. I thereby will assume you mean "stable and opaque identifier assigned and chosen by the authentication provider", which is what I would argue for (as opposed to attempting to rely on an e-mail address as a stable identifier).
I did use the word "username" in a response to someone else, but that was a very different (and much more abrasive :() argument path.
> Regardless email addresses are more stable and unique than usernames.
E-mail addresses are not more stable that usernames, because e-mail addresses have an external purpose: they receive e-mail. Many people actively go and change their email addresses periodically in order to stop receiving e-mail from people they previously were receiving e-mails from.
A "username" (your word here), especially (and maybe specifically) the "good" kind that is never shown to another user and is just used for account canonicalization, which conceptually could be a random number assigned by the system, is something that the user has no reason to change unless they actually want to never log in to the account again.
E-mail addresses also are tied to the DNS system, which other forms of identification need not be: you can instead tie them to a private key kept by the authentication provider. That would make "me" be A@B where A is a number and B is a key pair. In this way, even if the way you continue to contact my authentication provider lapses (such as attempting to use a hostname) only if the new owner has the same key are they able to claim the identities there (unlike e-mail) and as the user specifier is opaque (not a string that I'm going to care about and want to make pretty, or something I'd ever want to change unless I actively want to lose access to my account) it will not run afoul of the problem with e-mail where people feel compelled to reuse them after some time of abandonment.
The problem then with Persona is that it is the websites consuming it who have the onerous job of dealing with every possible e-mail address change a user may request. With more classic attempts at federated login, users may end up with multiple authentication providers that can become somewhat confusing, but they demand to change authentication providers and especially lose access entirely to authentication providers sufficiently rarely that it is a non-issue to handle the support load of helping users remap their accounts (something that is difficult to automate, of course, in the case where the user already lost access to their old identity). With Persona, this is now something that the user has to do when they change e-mail addresses at every site they may ever have logged in to using their account, ever. :(
Yes, it does: it means that you cannot count on it as a canonical form of identity for any long period of time, as people expect to be able to change it; in fact, many people go through "the great purge" every couple years, deleting their e-mail address and selecting a new one, in order to purposely reboot the people who have their address: to them, it is a way to purposely restart their identity.
You thereby have to think of e-mail addresses as more akin to your home address. If you ask me to log in with my home address, yes, that works: it doesn't work for everyone, as not everyone in the world has a home address, but the same thing can be said for e-mail addresses. Sometimes people will share a home address, but surprise surprise: sometimes people share e-mail addresses as well.
When I am asked to log in to that form with my home address, and it works, you now might claim I've accepted it as part of my identity. Well, I haven't: I'm going to change my home address at some point, and someone else is then going to start living here, which is exactly what happens to many people who use ISP or University -provided e-mail. Hell, it also happens to people with vanity e-mail addresses if they let their domain registration expire (as happened to one of my friends, who otherwise was using the same e-mail address for a very very long period of time).
Yes: it works temporarily, but it isn't my identity, and eventually it will fail, and unless you are really really weird (like, you are the kind of technology person who would probably consider it digital suicide to allow their domain name to expire, and has had the same e-mail address now for well over a decade), it will fail sooner than later, and may even fail on purpose when users invalidate it.