Following those instructions was a pain, as, embarrassingly for Apple's Safari team or the Thawte people, you need a fully fledged Mozilla-type browser to get hold of the certificate on the Mac. Once that is done and you've added your certificate to the keychain – a capability of the keychain that has been around since the MacOS 9 days btw – everything is smooth as silk, though.
To begin with, apart from that 'index encrypted messages' option, the non-user of certificates won't even know about Mail's authentification and encryption capabilities. And even when you're using them things happen mostly automagically – in my opinion the key point to making people adopt these technologies. Let's hope that certificates will become more readily available in the future.
I have one question to add to this: German webmail service web.de does offer encrypted e-mail via their web site. They also verify your personal data (I think I had to mail them something back when I got the account) and let you download your certificate. Download is smooth, no Mozilla needed, as is import to the keychain – a simple double click. Sadly, that was about all that work. Sending messages from the web based service to myself will cause Mail to complain that the signature couldn't be verified and the key I downloaded didn't seem to include a private key, so I can't use it to sign messages. Odd.
Not fully understanding what's going on may be unhelpful as well.
And of course I couldn't have done all of this without running into some quirks of OSX. One of them is embarrassing: The good old 'lost in translation' bug, that translates 'Extension' to 'Suffix' when it should actually read 'Erweiterung'. Although it has been fixed in Panther's version of the System Profiler, it can still be found in the Keychain. I've ranted about this before.
The other little irritation can be seen in the next screen shot. The little dot to indicate that Steffen is online is flat in the e-mail list but 'bubbly' next to his name. While Mail does in principle honour iChat's setting to use the simpler symbol this hasn't been incorporated in the new addition of those 'smart' address objects. Another place where some more testing or more careful design with a better knowledge of the existing application would have helped.
Now go out there and get yourself some certificates and we'll have secure and authentified messages. To improve on the Thawte key, we'll have to find 'notaries' to confirm our identities, rather than just signing the keys of people you know as with PGP. This is a shame. And the fact that all this seems to be focused around the company Thawte sucks. I already have a trustworthily signed PGP key around. Why shouldn't that be enough?
Received data seems to be invalid. The wanted file does probably not exist or the guys at last.fm changed something.