Copied from 4531698:

===
2) It would be nice if our LDAPCertStore.getCertificates() implementation 
  was enhanced to 
  find certificates when the specified X509CertSelector contains a
  subjectAlternativeName criterion with an RFC822 email address (and a
  null subject criterion). The
  implementation should search the directory for
  DN entries containing the "mail" attribute with the specified RFC822 email
  address and then return certificates in that entry with SubjectAltName   
  extensions containing the
  specified email address. This would be especially useful for S/MIME  
  applications, and would
  allow the CertPathBuilder to build a path to a target certificate when
  the subject's email address, but not the subject DN is known. This is
  a common usage case in S/MIME when the relying party wants to send an
  encrypted email to someone but doesn't have their certificate and 
  only knows their email address.

3) The reverse builder uses the target subject name for deciding
which certificates are most promising and ensuring that prospective CA
certificates don't contain name constraints that would prohibit the
desired target subject. This optimization should be done only if a 
non-null subject DN is set. (I think it is simply a matter of checking
if selector.getSubjectAsBytes() == null in ReverseBuilder.java)
===

Note that LDAPCertStoreParameters currently do not include a baseDn, which would make searches via email address somewhat inefficient. An API change may be in order.

As explained in the evaluation for 4531698, (3) is currently not a real issue but may become one if (2) is implemented. Therefore, that text is duplicated here.