Just to correct one minor mistake:
Where PGP falls down, at least in the current version, is that the
mechanisms for certificate revocation are rudimentary. Certificates
don't have expiration dates, and there is no requirement that users
check a repository to see if a certificate has been revoked. (Of
course PEM's implementation of CRL's, especially the distribution of
them, isn't something to brag about too much either.)
This is not entirely true. PGP certificates do have expiration dates;
PGP just doesn't currently use the expiration field, it leaves it at
zero. But the field exists, and I suspect a future version of PGP
will actually use it for something.
-derek