The X.509 model is actually fairly appropriate for corporate use - a central corporate CA can issue certificates for their employees. Such centralised operation is entirely correct in such an environment.

However, the neat thing about the web-of-trust model is that it's more general than hierarchial trust; a hierarchy is, in fact, a restricted form of a web.

So there should be a simple tool built into the directory services stuff used to maintain a centralised organisational user database (I must confess I've never come across Macs configured to operate in this way; I suspect most organisations will really be running Windows with Active Directory in the core; but a Mac can talk to that, which is sufficient for this purpose). It would simply manage an X.509-esque certificate hierarchy. Users who are connected to a directory service would be given the option, when they have created a private key, to submit it to The Directory for signing. In which case, the key management system (actually alongside the directory) would check the details on the key strictly match those on the user account that's submitting the key, and if so, sign it with a master key (to publish the fact that it's done the check), then slip the signed public key into the directory - and into public keyservers so that other organisations can then see that the new employee is, in fact, a certified employee of BigCorp when they start sending emails from their BigCorp address.

Oh, and when an account is deleted from the directory, the key management system would notice this and immediately publish a revocation of the organisation's signature of the key.

The next version of the thing could also support role/group keys. Administrators could grant a keypair to a user group, then a proxy system could ensure that outgoing email from members of that group (as long as the signature matches a real group member!) is also signed automatically by the group's key, optionally removing the original author's signature. This would enable digital identities to be assigned to roles or teams within an organisation, even as members come and go. Exactly how to implement the proxying is an intereting question; for emails, how do you know if an email is semantically from its author, or from a role the author holds? If you use a mail client that supports multiple sending accounts it becomes easy. But what about signing files and the like?

Incoming encrypted emails to the role/group are easy to handle - the mail system can decrypt them, then re-encrypt them for the members of the group and distribute it to them.