For 3b) you're relying on the broken Certificate Authority system of PKI; you're "trusting" that your browser or OS is using only authentic certificates from Certificate Authorities that haven't abused the system to issue false certificates. Fortunately, once you've downloaded the !GnuPG key for Enigmail you can see whether it is trusted by following the Web of Trust. If you've signed (trusted) the key of someone who has signed (trusted) the Enigmail GnuPG key, then you can trust the Enigmail GnuPG key too. If there's no-one who's key you've signed directly, perhaps there's a chain of signatures through the Web of Trust that lead back to the Enigmail key. The more keys you verify, sign, and trust, the more effective this becomes. So, attend or hold a !Crypto party to expand the Web of Trust!