it running at an individual user level with the www.keyservers.net
Which is not secure :-)
but for TLS NO CA will deliver a certificate that can sign other certificates
One particular CA that is built in some particular MUA's does.
(corporate e-mail certificates).
Nothing stops somebody working for that corporation to become the CA of that corporation. Thus, all people working for that corporation can rely on that CA to trust each other. Might fit some needs.
...my current understanding is.
Alex GBU