I'd put this a different way. Until PKIs are able to represent the
rich diversity of trust relationships that exist in the real world,
they are mere curiosities with marginal practical value.
That's a true statement whether it's the PKI's fault or not.
I think Keith has mixed up authentication with authorization. It is
true that I will only trust certain people in certain ways. But whether
those certain people are who they are, and whether a message from is in
fact from them, is something we can determine with PKIs. That having
been said, they still don't work.
Why? Because nobody actually has the patience for them, so far as I can
tell. CRLs are not managed at ALL on the Internet, and so far as I
know, every Tom, Dick, and Jane will ignore PKI warnings.