How does trust work in PGP?
I am trying to understand in detail how does one "express" trust in someone else's public key in PGP.
As far as I know, in PGP you associate uids (for simplicity, say that these are emails) to public keys, and this trust assignment process says (or should say) something like "I trust that key 0x1234 belongs to user alice@email.com".
In GPG clients, this process seems to be performed in practice via the tsign (trust signing action) command stated in the GPG manual. However, this manual does not specify what is being signed, and refers to this section of RFC-4880. Therein, nothing is said either about what is being signed (it simply talks about trust levels).
Now, what is being signed is crucial.
Take the example above, in which Carol says "I trust that key 0x1234 belongs to user alice@email.com". But then, assume that the owner of alice@email.com starts using key 0x1234 from bob@email.com. Carol's trust should not apply there, as she does not know who is the owner of bob@email.com. But, if the tsign command above does not bind 0x1234 with alice@email.com (e.g., if it only signs 0x1234), Carol's trust may be misinterpreted.
Can someone refer to some spec (or code) that clearly defines what is being signed? I don't seem to be able to find it.
