Bob,
I think your message to Carl about possible uses for PEM in a
corporate enviromnment touches upon a number of good examples, but
I tend to disagree with some of your conclusions.
My view is that digitally signing anything has NO formal
consequences at all, without an explicit declaration of the semantics
of such a signature. I take this position based on the observation
that without establishing the time and semantic context of a signed
communication, it is foolish to ascribe any binding, legal
significance to a signed message.
From this perspective, I can't see why a company would be
concerned about the use of PEM for privacy/confidentiality purposes
internally, irrespective of its use for EDI-like purposes. For
example, one might make PEM available to managers to allow them to
exchange reviews with the HR department over the net in a confidential
fashion (vs. via sneaker net). One might use it for confidentiality
for projects the company wanst to keep very quiet, internally. For a
company that exchanges email among a range of geographically dispersed
offices, perhaps via public networks, the privacy and authenticity
features would constitute a real improvement over plaintetx email.
One might even use persona certificates for the corporate
whistleblower mailbox.
Steve