Tom,
We've had this discussion before on the list, over a year ago.
The following was the conclusion at the time:
It would be preferable to have certificates for roles in a
company, with access to the private key retained by the company as
different employees occupy the same role ovee time. That eliminates
the issue of who gets to retain the key and who is liable for what.
Use of suitable harware technology could allow the employee to use the
private key to perform his duties without having access to it.
Indivdiually named employee certificates could be used with keys that
employees get to keep, even if they move to a new company, because the
binding between the key and the old company affiliation is hot listed
when you leave the company.
Steve