The same thing could be done with GPG, via identity validation (jumping through whichever hoops are required to link people's claimed 'real' world identities with their keys; probably checking documentation and then signing a key). However, that's probably best achieved via some decentralized method rather than trusting a centralized corporate intermediary as per X.509 CA's.