Tom,
DNs for roles are a well defined (in X.500), if not a
universally understood concept. An individual acting as purchasing
agent for a company could have two certificates, one as an employee
and one for the role of purchasing agent. It would be prudent to
require the use of different keys for these certificates, and one
could argue that the company should maintain control of the latter
key, while the former ought to be controlled by the individual.
Depending on the technology used to implement the signature facility,
when a different person takes on the job of purchasing agent, he/she
might be able to make use of the same purchasing agent certificate.
If technology does not permit, then the old certificate for that
purchasing agent could be added to the CRL, and a new one, with the
same DN but a new key, could be issued to the individual now serving
in that role.
While this analysis does not completely refute your claim that
digital signatures cannot serve as replacements for "wet" signatures
in (all?) business contexts, I think it does address an apparent
misunderstanding about how roles can be represented using certificates.
Steve