Right now with email+password, it is possible to sign up multiple times using different variations of the same functional email address.
For example, you can create one user with email@example.com, and another one with firstname.lastname@example.org, and both emails will reference the same actual functional email address, email@example.com
This opens up for a whole variety of exploits and phishing attacks.
So my question is, how can we prevent multiple signups with the same normalized email address?
I would be interested in hearing your exploits/attacks you have.
You can use a pre-registration action or hook to normalize and look up the email, disallowing it if it exists.
It becomes a problem when connected to other services that normalize the mail, for example services that handle invitations to share resources by specifying the email address of the share target. Then suddenly both, or wrong account gets access to the resource.