Description

The user IDs displayed during "gpg --update-trustdb" may have not been
certified yet and thus it is possible to add a faked IUD and make the
user (running the update) believe this is someone he trusts to sign
other keys.

Fix

The best thing would be to display all user IDs (done since 1.2.1) and add an option to show more info on the key.

There should also be an indication when the user ID is not considered
trustworthy (by the current WoT) by adding an "[unchecked]" to the
user ID.