The su command on most systems requires the user to supply a password to
switch to another user's identity. However, it's quite often useful to
authenticate yourself using public-key encryption instead; for instance, when
logging in over SSH or SSL, or when you're using a keyring manager to securely
control use of keys already.
It may be possible to make su perform public-key authentication using a PAM
module. This would allow an entirely unprivileged SSH server to be written that
just deferred to su to start users' processes, or to use a forwarded
ssh-agent connection to use authentication information from a remote machine.