PGP cut the gordian knot and demonstrated that it was _possible_ to have a successful PKI application without a CA. But that is not to say that a trusted third party cannot add value to an application. PGP validated PKI generally but it did not invalidate the CA concept - in the PGP system everyone is a trust provider, everyone is in that sense a CA.
PGP did in fact invalidate CA concept, very successfully. There is a world of difference between "everyone is a trust provider" and several centralized CAs. Authentication is an essential part of security. If one assumes wrong who she is talking to then all "strong crypto" used is irrelevant, since the middleman is browsing the plaintext. If there is a need, CA customers will be given middleman's keys and all traffic will be systematically captured, re-encrypted and forwarded to the intended recipient for as long as required. Maybe even keys with the same hash (id) can be generated to pass the verification. What percentage of users would do the non-automated, manual check anyway ? If trusting a secret key to escrowing entity (GAK) is a bad deal, how is trusting someone's identity to CA any different ? In both cases security is deposited with an organization that can be influenced in any number of ways. The CA concept does not work because security and privacy are inherently individual, and any forced insertion of third parties in the process is bound to miserably fail. The Fool