When I worked at RSA Data Security, we got very excited about a particular use of public-key cryptography: digitally signed photographs.
At the time UN weapons inspectors were using special cameras. The pictures they took were converted into bits inside a special tamper-resistant module inside the camera. Inside this module was also an RSA private key, used to sign the photo. Later on, if someone claimed that the photo was altered (say, with photoshop), the signature could be checked.
Incidentally, tamper-resistant chips or modules work just like regular hardware, except they have some sort of shield that prevents regular monitoring techniques (such as logic analyzers) from seeing anything on the device. Furthermore, the shield is constructed such that the act of removing it causes the device to "self-destruct". For example, a "simple" technique is to coat the module with a plastic or resin. That's the shield, plus if someone tries to peel off the coating, the chips are destroyed. Think of tearing a price tag off of a cardboard box. Sometimes the price tag is glued on so well, that the only way to get it off is to tear some of the box as well.
Back to the cameras. When the camera is built, the tamper-resistant module generates an RSA key pair, keeps the private key on the module, and exports the public key. If someone alters a photo, the signature is no longer valid. So to break this system, someone will have to either get the private key from the module (no one was able to do that) or break RSA at 2048 bits (I still think no one has been able to do that).
This would be an interesting feature to have on cameras other than those used by UN weapons inspectors. In fact, compaines that sell security cameras do indeed advertise that their products apply a digital signature to images. If something ever ends up in court, judges and juries can see that they are looking at unaltered images.
However, this feature will almost certainly never be part of consumer cameras. It would simply raise the cost of cameras too much.
But what's interesting is that is another example of PKI that worked. But why did it work? I think because it only did one-sided authentication for a specific purpose. That's it, no encryption, no wide-scale auth, no auth for anything other than photos, no cross-certification. It would be easy for the camera manufacturer to get a CA cert from a readily available root (such as Verisign). Then create a cert for each camera.
So if someone peddling PKI points to this example, then point out that this is a very simple case. Not many nodes, not many features, one company controls all the nodes and cert generation. How well does PKI work in complex situations? Does someone have an example?