If you want to allow other people to read your PEM email but don't want to
allow them to be able to send email using it, then you need to have one cert
that that is used for email reception and another one used to sign
messages that you send. The cert for reading needs to be issued under
a PCA that issues certs just for this purpose and that explicitly states
that messages signed with a cert issued under this PCA are not valid.
This sort of cert would allow the US president to receive encrypted email
without the volunteers being able to send signed email.
Yes you could add flags / more IDs to DNs etc, enhance the protocol, but
you don't need to.
Pete.