Note that the BIP doesn't tell you what certificates should be trusted.  That's up to the implementation, not the protocol:

"Trusted root certificates may be obtained from the operating system; if validation is done on a device without an operating system, the Mozilla root store is recommended."

If you want to use a WoT, you can just use something like monkeysphere http://web.monkeysphere.info/ instead of the normal PKI/root-CAs.

There isn't a widely used transport layer standard for OpenPGP, which is what the protocol needs, so TLS is probably a better choice then PGP for the actual encryption.