diff --git a/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java b/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
index f9d85a90..0d9afd5c 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/AuditLogResource.java
@@ -17,6 +17,7 @@
 import org.cryptomator.hub.entities.events.AuditEvent;
 import org.cryptomator.hub.entities.events.DeviceRegisteredEvent;
 import org.cryptomator.hub.entities.events.DeviceRemovedEvent;
+import org.cryptomator.hub.entities.events.SignedWotIdEvent;
 import org.cryptomator.hub.entities.events.VaultAccessGrantedEvent;
 import org.cryptomator.hub.entities.events.VaultCreatedEvent;
 import org.cryptomator.hub.entities.events.VaultKeyRetrievedEvent;
@@ -80,6 +81,7 @@ public List<AuditEventDto> getAllEvents(@QueryParam("startDate") Instant startDa
 	@JsonSubTypes({ //
 			@JsonSubTypes.Type(value = DeviceRegisteredEventDto.class, name = DeviceRegisteredEvent.TYPE), //
 			@JsonSubTypes.Type(value = DeviceRemovedEventDto.class, name = DeviceRemovedEvent.TYPE), //
+			@JsonSubTypes.Type(value = SignedWotIdEvent.class, name = SignedWotIdEvent.TYPE), //
 			@JsonSubTypes.Type(value = VaultCreatedEventDto.class, name = VaultCreatedEvent.TYPE), //
 			@JsonSubTypes.Type(value = VaultUpdatedEventDto.class, name = VaultUpdatedEvent.TYPE), //
 			@JsonSubTypes.Type(value = VaultAccessGrantedEventDto.class, name = VaultAccessGrantedEvent.TYPE), //
@@ -101,6 +103,7 @@ static AuditEventDto fromEntity(AuditEvent entity) {
 			return switch (entity) {
 				case DeviceRegisteredEvent evt -> new DeviceRegisteredEventDto(evt.getId(), evt.getTimestamp(), DeviceRegisteredEvent.TYPE, evt.getRegisteredBy(), evt.getDeviceId(), evt.getDeviceName(), evt.getDeviceType());
 				case DeviceRemovedEvent evt -> new DeviceRemovedEventDto(evt.getId(), evt.getTimestamp(), DeviceRemovedEvent.TYPE, evt.getRemovedBy(), evt.getDeviceId());
+				case SignedWotIdEvent evt -> new SignedWotIdEventDto(evt.getId(), evt.getTimestamp(), SignedWotIdEvent.TYPE, evt.getUserId(), evt.getSignerId(), evt.getSignerKey(), evt.getSignature());
 				case VaultCreatedEvent evt -> new VaultCreatedEventDto(evt.getId(), evt.getTimestamp(), VaultCreatedEvent.TYPE, evt.getCreatedBy(), evt.getVaultId(), evt.getVaultName(), evt.getVaultDescription());
 				case VaultUpdatedEvent evt -> new VaultUpdatedEventDto(evt.getId(), evt.getTimestamp(), VaultUpdatedEvent.TYPE, evt.getUpdatedBy(), evt.getVaultId(), evt.getVaultName(), evt.getVaultDescription(), evt.isVaultArchived());
 				case VaultAccessGrantedEvent evt -> new VaultAccessGrantedEventDto(evt.getId(), evt.getTimestamp(), VaultAccessGrantedEvent.TYPE, evt.getGrantedBy(), evt.getVaultId(), evt.getAuthorityId());
@@ -121,6 +124,9 @@ record DeviceRegisteredEventDto(long id, Instant timestamp, String type, @JsonPr
 	record DeviceRemovedEventDto(long id, Instant timestamp, String type, @JsonProperty("removedBy") String removedBy, @JsonProperty("deviceId") String deviceId) implements AuditEventDto {
 	}
 
+	record SignedWotIdEventDto(long id, Instant timestamp, String type, @JsonProperty("userId") String userId, @JsonProperty("signerId") String signerId, @JsonProperty("signerKey") String signerKey, @JsonProperty("signature") String signature) implements AuditEventDto {
+	}
+
 	record VaultCreatedEventDto(long id, Instant timestamp, String type, @JsonProperty("createdBy") String createdBy, @JsonProperty("vaultId") UUID vaultId, @JsonProperty("vaultName") String vaultName,
 								@JsonProperty("vaultDescription") String vaultDescription) implements AuditEventDto {
 	}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
index bcae87d4..98ae5883 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/MemberDto.java
@@ -7,20 +7,26 @@
 
 public final class MemberDto extends AuthorityDto {
 
+	@JsonProperty("ecdhPublicKey")
+	public final String ecdhPublicKey;
+	@JsonProperty("ecdsaPublicKey")
+	public final String ecdsaPublicKey;
 	@JsonProperty("role")
 	public final VaultAccess.Role role;
 
-	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") AuthorityDto.Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("role") VaultAccess.Role role) {
+	MemberDto(@JsonProperty("id") String id, @JsonProperty("type") Type type, @JsonProperty("name") String name, @JsonProperty("pictureUrl") String pictureUrl, @JsonProperty("ecdhPublicKey") String ecdhPublicKey, @JsonProperty("ecdsaPublicKey") String ecdsaPublicKey, @JsonProperty("role") VaultAccess.Role role) {
 		super(id, type, name, pictureUrl);
+		this.ecdhPublicKey = ecdhPublicKey;
+		this.ecdsaPublicKey = ecdsaPublicKey;
 		this.role = role;
 	}
 
 	public static MemberDto fromEntity(User user, VaultAccess.Role role) {
-		return new MemberDto(user.getId(), Type.USER, user.getName(), user.getPictureUrl(), role);
+		return new MemberDto(user.getId(), Type.USER, user.getName(), user.getPictureUrl(), user.getEcdhPublicKey(), user.getEcdsaPublicKey(), role);
 	}
 
 	public static MemberDto fromEntity(Group group, VaultAccess.Role role) {
-		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, role);
+		return new MemberDto(group.getId(), Type.GROUP, group.getName(), null, null, null, role);
 	}
 
-}
+}
\ No newline at end of file
diff --git a/backend/src/main/java/org/cryptomator/hub/api/SettingsResource.java b/backend/src/main/java/org/cryptomator/hub/api/SettingsResource.java
new file mode 100644
index 00000000..2e5735c0
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/api/SettingsResource.java
@@ -0,0 +1,62 @@
+package org.cryptomator.hub.api;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.inject.Inject;
+import jakarta.transaction.Transactional;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.Max;
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotNull;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+import org.cryptomator.hub.entities.Settings;
+import org.eclipse.microprofile.openapi.annotations.Operation;
+import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
+
+@Path("/settings")
+public class SettingsResource {
+
+	@Inject
+	Settings.Repository settingsRepo;
+
+	@GET
+	@RolesAllowed("user")
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "get the billing information")
+	@APIResponse(responseCode = "200")
+	@Transactional
+	public SettingsDto get() {
+		return SettingsDto.fromEntity(settingsRepo.get());
+	}
+
+	@PUT
+	@RolesAllowed("admin")
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Operation(summary = "update settings")
+	@APIResponse(responseCode = "204", description = "token set")
+	@APIResponse(responseCode = "400", description = "invalid settings")
+	@APIResponse(responseCode = "403", description = "only admins are allowed to update settings")
+	@Transactional
+	public Response put(@NotNull @Valid SettingsDto dto) {
+		var settings = settingsRepo.get();
+		settings.setWotMaxDepth(dto.wotMaxDepth);
+		settings.setWotIdVerifyLen(dto.wotIdVerifyLen);
+		settingsRepo.persist(settings);
+		return Response.status(Response.Status.NO_CONTENT).build();
+	}
+
+	public record SettingsDto(@JsonProperty("hubId") String hubId, @JsonProperty("wotMaxDepth") @Min(0) @Max(9) int wotMaxDepth, @JsonProperty("wotIdVerifyLen") @Min(0) int wotIdVerifyLen) {
+
+		public static SettingsDto fromEntity(Settings entity) {
+			return new SettingsDto(entity.getHubId(), entity.getWotMaxDepth(), entity.getWotIdVerifyLen());
+		}
+
+	}
+
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/api/UserDto.java b/backend/src/main/java/org/cryptomator/hub/api/UserDto.java
index 14542f00..5ede84d2 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/UserDto.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/UserDto.java
@@ -23,7 +23,11 @@ public final class UserDto extends AuthorityDto {
 	@JsonProperty("setupCode")
 	public final String setupCode;
 
-	@Deprecated
+	/**
+	 * Same as {@link #ecdhPublicKey}, kept for compatibility purposes
+	 * @deprecated to be removed when all clients moved to the new DTO field names
+	 */
+	@Deprecated(forRemoval = true)
 	@JsonProperty("publicKey")
 	public final String legacyEcdhPublicKey;
 
diff --git a/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java b/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java
index 0b200057..d42e73c3 100644
--- a/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java
+++ b/backend/src/main/java/org/cryptomator/hub/api/UsersResource.java
@@ -1,5 +1,6 @@
 package org.cryptomator.hub.api;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.annotation.Nullable;
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
@@ -8,17 +9,21 @@
 import jakarta.validation.constraints.NotNull;
 import jakarta.ws.rs.Consumes;
 import jakarta.ws.rs.GET;
+import jakarta.ws.rs.NotFoundException;
 import jakarta.ws.rs.POST;
 import jakarta.ws.rs.PUT;
 import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import org.cryptomator.hub.entities.AccessToken;
 import org.cryptomator.hub.entities.Device;
+import org.cryptomator.hub.entities.EffectiveWot;
 import org.cryptomator.hub.entities.User;
 import org.cryptomator.hub.entities.Vault;
+import org.cryptomator.hub.entities.WotEntry;
 import org.cryptomator.hub.entities.events.EventLogger;
 import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.eclipse.microprofile.openapi.annotations.Operation;
@@ -48,6 +53,10 @@ public class UsersResource {
 	Device.Repository deviceRepo;
 	@Inject
 	Vault.Repository vaultRepo;
+	@Inject
+	WotEntry.Repository wotRepo;
+	@Inject
+	EffectiveWot.Repository effectiveWotRepo;
 
 	@Inject
 	JsonWebToken jwt;
@@ -168,7 +177,63 @@ public Response resetMe() {
 	@Produces(MediaType.APPLICATION_JSON)
 	@Operation(summary = "list all users")
 	public List<UserDto> getAll() {
-		return userRepo.findAll().<User>stream().map(UserDto::justPublicInfo).toList();
+		return userRepo.findAll().stream().map(UserDto::justPublicInfo).toList();
 	}
 
+	@PUT
+	@Path("/trusted/{userId}")
+	@RolesAllowed("user")
+	@Transactional
+	@Consumes(MediaType.TEXT_PLAIN)
+	@Operation(summary = "adds/updates trust", description = "Stores a signature for the given user.")
+	@APIResponse(responseCode = "204", description = "signature stored")
+	public Response putSignature(@PathParam("userId") String userId, @NotNull String signature) {
+		var signer = userRepo.findById(jwt.getSubject());
+		var id = new WotEntry.Id();
+		id.setUserId(userId);
+		id.setSignerId(signer.getId());
+		var entry = wotRepo.findById(id);
+		if (entry == null) {
+			entry = new WotEntry();
+			entry.setId(id);
+		}
+		entry.setSignature(signature);
+		wotRepo.persist(entry);
+		eventLogger.logWotIdSigned(userId, signer.getId(), signer.getEcdsaPublicKey(), signature);
+		return Response.status(Response.Status.NO_CONTENT).build();
+	}
+
+	@GET
+	@Path("/trusted/{userId}")
+	@RolesAllowed("user")
+	@NoCache
+	@Transactional
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "get trust detail for given user", description = "returns the shortest found signature chain for the given user")
+	@APIResponse(responseCode = "200")
+	@APIResponse(responseCode = "404", description = "if no sufficiently short trust chain between the invoking user and the user with the given id has been found")
+	public TrustedUserDto getTrustedUser(@PathParam("userId") String trustedUserId) {
+		var trustingUserId = jwt.getSubject();
+		return effectiveWotRepo.findTrusted(trustingUserId, trustedUserId).singleResultOptional().map(TrustedUserDto::fromEntity).orElseThrow(NotFoundException::new);
+	}
+
+	@GET
+	@Path("/trusted")
+	@RolesAllowed("user")
+	@NoCache
+	@Transactional
+	@Produces(MediaType.APPLICATION_JSON)
+	@Operation(summary = "get trusted users", description = "returns a list of users trusted by the currently logged-in user")
+	@APIResponse(responseCode = "200")
+	public List<TrustedUserDto> getTrustedUsers() {
+		var trustingUserId = jwt.getSubject();
+		return effectiveWotRepo.findTrusted(trustingUserId).stream().map(TrustedUserDto::fromEntity).toList();
+	}
+
+	public record TrustedUserDto(@JsonProperty("trustedUserId") String trustedUserId, @JsonProperty("signatureChain") List<String> signatureChain) {
+
+		public static TrustedUserDto fromEntity(EffectiveWot entity) {
+			return new TrustedUserDto(entity.getId().getTrustedUserId(), List.of(entity.getSignatureChain()));
+		}
+	}
 }
\ No newline at end of file
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/EffectiveWot.java b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveWot.java
new file mode 100644
index 00000000..977e21a7
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/EffectiveWot.java
@@ -0,0 +1,108 @@
+package org.cryptomator.hub.entities;
+
+import io.quarkus.hibernate.orm.panache.PanacheQuery;
+import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
+import io.quarkus.panache.common.Parameters;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.persistence.EmbeddedId;
+import jakarta.persistence.Entity;
+import jakarta.persistence.NamedQuery;
+import jakarta.persistence.Table;
+import org.hibernate.annotations.Immutable;
+import org.hibernate.annotations.Type;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+@Entity
+@Immutable
+@Table(name = "effective_wot")
+@NamedQuery(name = "EffectiveWot.findTrustedUsers", query = """
+		SELECT wot
+		FROM EffectiveWot wot
+		WHERE wot.id.trustingUserId = :trustingUserId
+		""")
+@NamedQuery(name = "EffectiveWot.findTrustedUser", query = """
+		SELECT wot
+		FROM EffectiveWot wot
+		WHERE wot.id.trustingUserId = :trustingUserId AND wot.id.trustedUserId = :trustedUserId
+		""")
+public class EffectiveWot {
+
+	@EmbeddedId
+	private Id id;
+
+	@Column(name = "signature_chain")
+	@Type(StringArrayType.class)
+	private String[] signatureChain;
+
+	public Id getId() {
+		return id;
+	}
+
+	public void setId(Id id) {
+		this.id = id;
+	}
+
+	public String[] getSignatureChain() {
+		return signatureChain;
+	}
+
+	public void setSignatureChain(String[] signatureChain) {
+		this.signatureChain = signatureChain;
+	}
+
+	@Embeddable
+	public static class Id implements Serializable {
+
+		@Column(name = "trusting_user_id")
+		private String trustingUserId;
+
+		@Column(name = "trusted_user_id")
+		private String trustedUserId;
+
+		public String getTrustingUserId() {
+			return trustingUserId;
+		}
+
+		public String getTrustedUserId() {
+			return trustedUserId;
+		}
+
+		@Override
+		public boolean equals(Object o) {
+			if (this == o) return true;
+			if (o instanceof Id other) {
+				return Objects.equals(trustingUserId, other.trustingUserId) //
+						&& Objects.equals(trustedUserId, other.trustedUserId);
+			}
+			return false;
+		}
+
+		@Override
+		public int hashCode() {
+			return Objects.hash(trustingUserId, trustedUserId);
+		}
+
+		@Override
+		public String toString() {
+			return "EffectiveWotId{" +
+					"trustingUserId='" + trustingUserId + '\'' +
+					", trustedUserId='" + trustedUserId + '\'' +
+					'}';
+		}
+	}
+
+	@ApplicationScoped
+	public static class Repository implements PanacheRepositoryBase<EffectiveWot, Id> {
+		public PanacheQuery<EffectiveWot> findTrusted(String trustingUserId) {
+			return find("#EffectiveWot.findTrustedUsers", Parameters.with("trustingUserId", trustingUserId));
+		}
+
+		public PanacheQuery<EffectiveWot> findTrusted(String trustingUserId, String trustedUserId) {
+			return find("#EffectiveWot.findTrustedUser", Parameters.with("trustingUserId", trustingUserId).and("trustedUserId", trustedUserId));
+		}
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/Settings.java b/backend/src/main/java/org/cryptomator/hub/entities/Settings.java
index d521e548..48f8373d 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/Settings.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/Settings.java
@@ -25,6 +25,12 @@ public class Settings {
 	@Column(name = "license_key")
 	private String licenseKey;
 
+	@Column(name = "wot_max_depth", nullable = false)
+	private int wotMaxDepth;
+
+	@Column(name = "wot_id_verify_len", nullable = false)
+	private int wotIdVerifyLen;
+
 	public int getId() {
 		return id;
 	}
@@ -49,12 +55,30 @@ public void setLicenseKey(String licenseKey) {
 		this.licenseKey = licenseKey;
 	}
 
+	public int getWotMaxDepth() {
+		return wotMaxDepth;
+	}
+
+	public void setWotMaxDepth(int wotMaxDepth) {
+		this.wotMaxDepth = wotMaxDepth;
+	}
+
+	public int getWotIdVerifyLen() {
+		return wotIdVerifyLen;
+	}
+
+	public void setWotIdVerifyLen(int wotIdVerifyLen) {
+		this.wotIdVerifyLen = wotIdVerifyLen;
+	}
+
 	@Override
 	public String toString() {
 		return "Settings{" +
 				"id=" + id +
 				", hubId='" + hubId + '\'' +
 				", licenseKey='" + licenseKey + '\'' +
+				", wotMaxDepth='" + wotMaxDepth + '\'' +
+				", wotIdVerifyLen='" + wotIdVerifyLen + '\'' +
 				'}';
 	}
 
@@ -65,12 +89,14 @@ public boolean equals(Object o) {
 		Settings settings = (Settings) o;
 		return id == settings.id
 				&& Objects.equals(hubId, settings.hubId)
-				&& Objects.equals(licenseKey, settings.licenseKey);
+				&& Objects.equals(licenseKey, settings.licenseKey)
+				&& Objects.equals(wotMaxDepth, settings.wotMaxDepth)
+				&& Objects.equals(wotIdVerifyLen, settings.wotIdVerifyLen);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(id, hubId, licenseKey);
+		return Objects.hash(id, hubId, licenseKey, wotMaxDepth, wotIdVerifyLen);
 	}
 
 	@ApplicationScoped
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/StringArrayType.java b/backend/src/main/java/org/cryptomator/hub/entities/StringArrayType.java
new file mode 100644
index 00000000..07e63552
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/StringArrayType.java
@@ -0,0 +1,66 @@
+package org.cryptomator.hub.entities;
+
+import org.hibernate.engine.spi.SharedSessionContractImplementor;
+import org.hibernate.usertype.UserType;
+
+import java.io.Serializable;
+import java.sql.Array;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Types;
+import java.util.Arrays;
+
+public class StringArrayType implements UserType<String[]> {
+
+	@Override
+	public int getSqlType() {
+		return Types.ARRAY;
+	}
+
+	@Override
+	public Class<String[]> returnedClass() {
+		return String[].class;
+	}
+
+	@Override
+	public boolean equals(String[] x, String[] y) {
+		return Arrays.equals(x, y);
+	}
+
+	@Override
+	public int hashCode(String[] x) {
+		return Arrays.hashCode(x);
+	}
+
+	@Override
+	public String[] nullSafeGet(ResultSet rs, int position, SharedSessionContractImplementor session, Object owner) throws SQLException {
+		Array array = rs.getArray(position);
+		return array != null ? (String[]) array.getArray() : null;
+	}
+
+	@Override
+	public void nullSafeSet(PreparedStatement st, String[] value, int index, SharedSessionContractImplementor session) {
+		throw new UnsupportedOperationException("Read Only");
+	}
+
+	@Override
+	public boolean isMutable() {
+		return false;
+	}
+
+	@Override
+	public String[] deepCopy(String[] value) {
+		return value; // value is immutable
+	}
+
+	@Override
+	public Serializable disassemble(String[] value) {
+		return value; // value is immutable
+	}
+
+	@Override
+	public String[] assemble(Serializable cached, Object owner) {
+		return (String[]) cached; // value is immutable
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/WotEntry.java b/backend/src/main/java/org/cryptomator/hub/entities/WotEntry.java
new file mode 100644
index 00000000..e451831b
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/WotEntry.java
@@ -0,0 +1,92 @@
+package org.cryptomator.hub.entities;
+
+import io.quarkus.hibernate.orm.panache.PanacheRepositoryBase;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.persistence.Column;
+import jakarta.persistence.Embeddable;
+import jakarta.persistence.EmbeddedId;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Table;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+@Entity
+@Table(name = "wot")
+public class WotEntry {
+
+	@EmbeddedId
+	private Id id;
+
+	@Column(name = "signature", nullable = false)
+	private String signature;
+
+	public Id getId() {
+		return id;
+	}
+
+	public void setId(Id id) {
+		this.id = id;
+	}
+
+	public String getSignature() {
+		return signature;
+	}
+
+	public void setSignature(String signature) {
+		this.signature = signature;
+	}
+
+	@Embeddable
+	public static class Id implements Serializable {
+
+		@Column(name = "user_id")
+		private String userId;
+
+		@Column(name = "signer_id")
+		private String signerId;
+
+		public String getUserId() {
+			return userId;
+		}
+
+		public void setUserId(String userId) {
+			this.userId = userId;
+		}
+
+		public String getSignerId() {
+			return signerId;
+		}
+
+		public void setSignerId(String signerId) {
+			this.signerId = signerId;
+		}
+
+		@Override
+		public boolean equals(Object o) {
+			if (this == o) return true;
+			if (o instanceof Id other) {
+				return Objects.equals(userId, other.userId) //
+						&& Objects.equals(signerId, other.signerId);
+			}
+			return false;
+		}
+
+		@Override
+		public int hashCode() {
+			return Objects.hash(userId, signerId);
+		}
+
+		@Override
+		public String toString() {
+			return "WotEntryId{" +
+					"userId='" + userId + '\'' +
+					", signerId='" + signerId + '\'' +
+					'}';
+		}
+	}
+
+	@ApplicationScoped
+	public static class Repository implements PanacheRepositoryBase<WotEntry, Id> {
+	}
+}
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java b/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java
index d2839e10..d4cee866 100644
--- a/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/EventLogger.java
@@ -100,6 +100,16 @@ public void logVaultMemberUpdated(String updatedBy, UUID vaultId, String authori
 		auditEventRepository.persist(event);
 	}
 
+	public void logWotIdSigned(String userId, String signerId, String signerKey, String signature) {
+		var event = new SignedWotIdEvent();
+		event.setTimestamp(Instant.now());
+		event.setUserId(userId);
+		event.setSignerId(signerId);
+		event.setSignerKey(signerKey);
+		event.setSignature(signature);
+		auditEventRepository.persist(event);
+	}
+
 	//legacy
 	public void logVaultOwnershipClaimed(String claimedBy, UUID vaultId) {
 		var event = new VaultOwnershipClaimedEvent();
diff --git a/backend/src/main/java/org/cryptomator/hub/entities/events/SignedWotIdEvent.java b/backend/src/main/java/org/cryptomator/hub/entities/events/SignedWotIdEvent.java
new file mode 100644
index 00000000..e87a4161
--- /dev/null
+++ b/backend/src/main/java/org/cryptomator/hub/entities/events/SignedWotIdEvent.java
@@ -0,0 +1,81 @@
+package org.cryptomator.hub.entities.events;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.DiscriminatorValue;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.Table;
+
+import java.util.Objects;
+import java.util.UUID;
+
+@Entity
+@Table(name = "audit_event_sign_wot_id")
+@DiscriminatorValue(SignedWotIdEvent.TYPE)
+public class SignedWotIdEvent extends AuditEvent {
+
+	public static final String TYPE = "SIGN_WOT_ID";
+
+	@Column(name = "user_id")
+	private String userId;
+
+	@Column(name = "signer_id")
+	private String signerId;
+
+	@Column(name = "signer_key")
+	private String signerKey;
+
+	@Column(name = "signature")
+	private String signature;
+
+	public String getUserId() {
+		return userId;
+	}
+
+	public void setUserId(String userId) {
+		this.userId = userId;
+	}
+
+	public String getSignerId() {
+		return signerId;
+	}
+
+	public void setSignerId(String signerId) {
+		this.signerId = signerId;
+	}
+
+	public String getSignerKey() {
+		return signerKey;
+	}
+
+	public void setSignerKey(String signerKey) {
+		this.signerKey = signerKey;
+	}
+
+	public String getSignature() {
+		return signature;
+	}
+
+	public void setSignature(String signature) {
+		this.signature = signature;
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (this == o) return true;
+		if (o == null || getClass() != o.getClass()) return false;
+		SignedWotIdEvent that = (SignedWotIdEvent) o;
+		return super.equals(that) //
+				&& Objects.equals(userId, that.userId) //
+				&& Objects.equals(signerId, that.signerId) //
+				&& Objects.equals(signerKey, that.signerKey) //
+				&& Objects.equals(signature, that.signature);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.getId(), userId, signerId, signerKey, signature);
+	}
+
+}
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png b/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png
index 19bce5b4..dbc96863 100644
Binary files a/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png and b/backend/src/main/resources/org/cryptomator/hub/flyway/ERM.png differ
diff --git a/backend/src/main/resources/org/cryptomator/hub/flyway/V16__WoT.sql b/backend/src/main/resources/org/cryptomator/hub/flyway/V16__WoT.sql
new file mode 100644
index 00000000..dbd5b1ed
--- /dev/null
+++ b/backend/src/main/resources/org/cryptomator/hub/flyway/V16__WoT.sql
@@ -0,0 +1,48 @@
+ALTER TABLE "settings" ADD "wot_max_depth" INTEGER NOT NULL DEFAULT 3;
+ALTER TABLE "settings" ADD "wot_id_verify_len" INTEGER NOT NULL DEFAULT 2;
+ALTER TABLE "settings" ADD CONSTRAINT "check_wot_max_depth" CHECK ("wot_max_depth" >= 0 AND "wot_max_depth" < 10);
+
+CREATE TABLE "wot" (
+    "user_id" VARCHAR(255) COLLATE "C" NOT NULL,
+    "signer_id" VARCHAR(255) COLLATE "C" NOT NULL,
+    "signature" VARCHAR NOT NULL,
+    PRIMARY KEY ("user_id", "signer_id"),
+    CONSTRAINT "fk_user_id" FOREIGN KEY ("user_id") REFERENCES "user_details" ("id") ON DELETE CASCADE,
+    CONSTRAINT "fk_signer_id" FOREIGN KEY ("signer_id") REFERENCES "user_details" ("id") ON DELETE CASCADE
+);
+
+CREATE TABLE "audit_event_sign_wot_id"
+(
+	"id"          BIGINT NOT NULL,
+	"user_id"     VARCHAR(255) COLLATE "C" NOT NULL,
+	"signer_id"   VARCHAR(255) COLLATE "C" NOT NULL,
+	"signer_key"  VARCHAR NOT NULL,
+	"signature"   VARCHAR NOT NULL,
+	CONSTRAINT "AUDIT_EVENT_SIGN_WOT_ID_PK" PRIMARY KEY ("id"),
+	CONSTRAINT "AUDIT_EVENT_SIGN_WOT_ID_FK_AUDIT_EVENT" FOREIGN KEY ("id") REFERENCES "audit_event" ("id") ON DELETE CASCADE
+);
+
+-- @formatter:off
+CREATE VIEW "effective_wot" ("trusting_user_id", "trusted_user_id", "signature_chain") AS
+WITH RECURSIVE "r" ("trusting_user_id", "trusted_user_id", "depth", "signer_chain", "signature_chain") AS (
+	-- Anchor member: Directly trusted users
+	SELECT "signer_id", "user_id", 0, array["signer_id"]::varchar[], array["signature"]::varchar[]
+	FROM "wot"
+
+	UNION ALL
+
+	-- Recursive member: Transitive trust
+	SELECT "r"."trusting_user_id", "wot"."user_id", "r"."depth" + 1, ("r"."signer_chain" || "wot"."signer_id")::varchar[], ("r"."signature_chain" || "wot"."signature")::varchar[]
+	FROM  "wot"
+	INNER JOIN "r"
+	    ON "wot"."signer_id" = "r"."trusted_user_id"  -- primary recursion criteria
+	    AND "wot"."user_id" <> ALL("r"."signer_chain") -- only if user isn't part of signature chain already (avoid loops)
+	INNER JOIN "settings" ON "settings"."id" = 0
+	WHERE "r"."depth" < "settings"."wot_max_depth"
+)
+SELECT
+    DISTINCT ON ("trusting_user_id", "trusted_user_id") -- keep only one relation (ordered by depth), i.e. the shortest path
+    "trusting_user_id", "trusted_user_id", "signature_chain"
+    FROM "r"
+    ORDER BY "trusting_user_id", "trusted_user_id", "depth";
+-- @formatter:on
\ No newline at end of file
diff --git a/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java
index 43db2f14..4a75e9a4 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/AuditLogResourceIT.java
@@ -1,12 +1,16 @@
 package org.cryptomator.hub.api;
 
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.security.TestSecurity;
 import io.restassured.RestAssured;
+import org.cryptomator.hub.license.LicenseHolder;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 
 import static io.restassured.RestAssured.given;
 import static io.restassured.RestAssured.when;
@@ -16,11 +20,20 @@
 @DisplayName("Resource /auditlog")
 public class AuditLogResourceIT {
 
+	@InjectMock
+	LicenseHolder licenseHolder;
+
 	@BeforeAll
 	public static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
 	}
 
+	@BeforeEach
+	public void beforeEach() {
+		Mockito.doReturn(true).when(licenseHolder).isSet();
+		Mockito.doReturn(false).when(licenseHolder).isExpired();
+	}
+
 	@Test
 	@TestSecurity(user = "Admin", roles = {"admin"})
 	@DisplayName("As admin, GET /auditlog?startDate=2020-02-20T00:00:00.000Z&endDate=2020-02-20T23:59:59.999Z&paginationId=9999 returns 200 with 20 entries")
diff --git a/backend/src/test/java/org/cryptomator/hub/api/SettingsResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/SettingsResourceIT.java
new file mode 100644
index 00000000..cdb7243e
--- /dev/null
+++ b/backend/src/test/java/org/cryptomator/hub/api/SettingsResourceIT.java
@@ -0,0 +1,127 @@
+package org.cryptomator.hub.api;
+
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
+import io.quarkus.test.security.oidc.Claim;
+import io.quarkus.test.security.oidc.OidcSecurity;
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.MethodOrderer;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestMethodOrder;
+
+import static io.restassured.RestAssured.given;
+import static io.restassured.RestAssured.when;
+import static org.hamcrest.CoreMatchers.is;
+
+@QuarkusTest
+@DisplayName("Resource /settings")
+public class SettingsResourceIT {
+
+	@BeforeAll
+	public static void beforeAll() {
+		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
+	}
+
+	@Nested
+	@DisplayName("As admin")
+	@TestSecurity(user = "Admin", roles = {"user", "admin"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "admin")
+	})
+	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+	public class AsAdmin {
+
+		@Test
+		@Order(1)
+		@DisplayName("GET /settings returns 200")
+		public void testGetInitial() {
+			when().get("/settings")
+					.then().statusCode(200)
+					.body("wotMaxDepth", is(3))
+					.body("wotIdVerifyLen", is(2));
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("PUT /settings returns 204 No Content")
+		public void testPut() {
+			var dto = new SettingsResource.SettingsDto("42", 5, 8);
+			given().contentType(ContentType.JSON).body(dto)
+					.when().put("/settings")
+					.then().statusCode(204);
+		}
+
+		@Test
+		@Order(3)
+		@DisplayName("GET /settings returns 200")
+		public void testGetModify() {
+			when().get("/settings")
+					.then().statusCode(200)
+					.body("wotMaxDepth", is(5))
+					.body("wotIdVerifyLen", is(8));
+		}
+
+		@Test
+		@Order(4)
+		@DisplayName("PUT /settings returns 204 No Content")
+		public void testPutBackToDefault() {
+			var dto = new SettingsResource.SettingsDto("42", 3, 2);
+			given().contentType(ContentType.JSON).body(dto)
+					.when().put("/settings")
+					.then().statusCode(204);
+		}
+
+
+	}
+
+	@Nested
+	@DisplayName("As normal user")
+	@TestSecurity(user = "User Name 1", roles = {"user"})
+	@OidcSecurity(claims = {
+			@Claim(key = "sub", value = "user1")
+	})
+	public class AsNormalUser {
+
+		@Test
+		@DisplayName("GET /settings returns 200")
+		public void testGet() {
+			when().get("/settings")
+					.then().statusCode(200);
+		}
+
+		@Test
+		@DisplayName("PUT /settings returns 403 Forbidden")
+		public void testPut() {
+			given().contentType(ContentType.JSON).body("")
+					.when().put("/settings")
+					.then().statusCode(403);
+		}
+
+	}
+
+	@Nested
+	@DisplayName("As unauthenticated user")
+	public class AsAnonymous {
+
+		@Test
+		@DisplayName("GET /billing returns 401 Unauthorized")
+		public void testGet() {
+			when().get("/settings")
+					.then().statusCode(401);
+		}
+
+		@Test
+		@DisplayName("PUT /settings returns 401 Unauthorized")
+		public void testPut() {
+			given().contentType(ContentType.JSON).body("")
+					.when().put("/settings")
+					.then().statusCode(401);
+		}
+
+	}
+}
diff --git a/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java b/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java
index 4e79b629..4778b818 100644
--- a/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java
+++ b/backend/src/test/java/org/cryptomator/hub/api/UsersResourceIT.java
@@ -1,28 +1,52 @@
 package org.cryptomator.hub.api;
 
+import io.agroal.api.AgroalDataSource;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.oidc.Claim;
 import io.quarkus.test.security.oidc.OidcSecurity;
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
+import jakarta.inject.Inject;
+import org.cryptomator.hub.license.LicenseHolder;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.MethodOrderer;
 import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Order;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.junit.jupiter.api.TestMethodOrder;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
+import org.mockito.Mockito;
+
+import java.sql.SQLException;
+import java.time.Instant;
+import java.time.format.DateTimeFormatter;
 
 import static io.restassured.RestAssured.given;
 import static io.restassured.RestAssured.when;
 import static org.hamcrest.CoreMatchers.hasItems;
 import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.Matchers.comparesEqualTo;
+import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.hasSize;
 
 @QuarkusTest
 @DisplayName("Resource /users")
 public class UsersResourceIT {
 
+	@Inject
+	AgroalDataSource dataSource;
+
+	@InjectMock
+	LicenseHolder licenseHolder;
+
 	@BeforeAll
 	public static void beforeAll() {
 		RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
@@ -119,4 +143,177 @@ public void testGet(String method, String path) {
 
 	}
 
+	@Nested
+	@DisplayName("Test Web of Trust")
+	@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+	public class WebOfTrust {
+
+		private Instant testStart;
+
+		@BeforeAll
+		public void setup() throws SQLException {
+			testStart = Instant.now();
+			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
+				s.execute("""
+						INSERT INTO "authority" ("id", "type", "name") VALUES ('user997', 'USER', 'User 997');
+						INSERT INTO "authority" ("id", "type", "name") VALUES ('user998', 'USER', 'User 998');
+						INSERT INTO "authority" ("id", "type", "name") VALUES ('user999', 'USER', 'User 999');
+						INSERT INTO "user_details" ("id", "ecdsa_publickey") VALUES ('user997', 'ecdsa_public997');
+						INSERT INTO "user_details" ("id", "ecdsa_publickey") VALUES ('user998', 'ecdsa_public998');
+						INSERT INTO "user_details" ("id", "ecdsa_publickey") VALUES ('user999', 'ecdsa_public999');
+						""");
+			}
+		}
+
+		@Test
+		@Order(1)
+		@DisplayName("PUT /users/trusted/user998 as user 997")
+		@TestSecurity(user = "User 997", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user997")
+		})
+		public void test997Trusts998() {
+			given().contentType(ContentType.TEXT).body("997 trusts 998")
+					.when().put("/users/trusted/user998")
+					.then().statusCode(204);
+		}
+
+		@Test
+		@Order(1)
+		@DisplayName("PUT /users/trusted/user999 as user 998")
+		@TestSecurity(user = "User 998", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user998")
+		})
+		public void test998Trusts999() {
+			given().contentType(ContentType.TEXT).body("998 trusts 999")
+					.when().put("/users/trusted/user999")
+					.then().statusCode(204);
+		}
+
+		@Test
+		@Order(1)
+		@DisplayName("PUT /users/trusted/user997 as user 998")
+		@TestSecurity(user = "User 998", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user998")
+		})
+		public void test998Trusts997() {
+			given().contentType(ContentType.TEXT).body("998 trusts 997")
+					.when().put("/users/trusted/user997")
+					.then().statusCode(204);
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("GET /users/trusted as user 997")
+		@TestSecurity(user = "User 997", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user997")
+		})
+		public void testGetTrustedBy997() {
+			given().when().get("/users/trusted")
+					.then().statusCode(200)
+					.body("$", hasSize(2))
+					.body("trustedUserId", hasItems("user998", "user999"))
+					.body("find{it.trustedUserId==\"user998\"}.signatureChain", hasItems("997 trusts 998"))
+					.body("find{it.trustedUserId==\"user999\"}.signatureChain", hasItems("997 trusts 998", "998 trusts 999"));
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("GET /users/trusted as user 998")
+		@TestSecurity(user = "User 998", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user998")
+		})
+		public void testGetTrustedBy998() {
+			given().when().get("/users/trusted")
+					.then().statusCode(200)
+					.body("$", hasSize(2))
+					.body("trustedUserId", hasItems("user997", "user999"))
+					.body("find{it.trustedUserId==\"user997\"}.signatureChain", hasItems("998 trusts 997"))
+					.body("find{it.trustedUserId==\"user999\"}.signatureChain", hasItems("998 trusts 999"));
+		}
+
+		@Test
+		@Order(2)
+		@DisplayName("GET /users/trusted as user 999")
+		@TestSecurity(user = "User 999", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user999")
+		})
+		public void testGetTrustedBy999() {
+			given().when().get("/users/trusted")
+					.then().statusCode(200)
+					.body("$", hasSize(0));
+		}
+
+		@Test
+		@Order(3)
+		@DisplayName("GET /users/trusted/user998 as user 997")
+		@TestSecurity(user = "User 997", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user997")
+		})
+		public void test997Gets998() {
+			given().when().get("/users/trusted/user998")
+					.then().statusCode(200)
+					.body("signatureChain", hasItems("997 trusts 998"));
+		}
+
+		@Test
+		@Order(3)
+		@DisplayName("GET /users/trusted/user999 as user 997")
+		@TestSecurity(user = "User 997", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user997")
+		})
+		public void test997Gets999() {
+			given().when().get("/users/trusted/user999")
+					.then().statusCode(200)
+					.body("signatureChain", hasItems("997 trusts 998", "998 trusts 999"));
+		}
+
+		@Test
+		@Order(3)
+		@DisplayName("GET /users/trusted/user998 as user 999")
+		@TestSecurity(user = "User 999", roles = {"user"})
+		@OidcSecurity(claims = {
+				@Claim(key = "sub", value = "user999")
+		})
+		public void test999Gets998() {
+			given().when().get("/users/trusted/user998")
+					.then().statusCode(404);
+		}
+
+		@Test
+		@Order(4)
+		@TestSecurity(user = "Admin", roles = {"admin"})
+		@DisplayName("As admin, GET /auditlog contains signature events")
+		public void testGetAuditLogEntries() {
+			Mockito.doReturn(true).when(licenseHolder).isSet();
+			Mockito.doReturn(false).when(licenseHolder).isExpired();
+
+			given().param("startDate", DateTimeFormatter.ISO_INSTANT.format(testStart))
+					.param("endDate", DateTimeFormatter.ISO_INSTANT.format(Instant.now()))
+					.param("paginationId", 9999L)
+					.when().get("/auditlog")
+					.then().statusCode(200)
+					.body("signature", contains("997 trusts 998", "998 trusts 999", "998 trusts 997"));
+		}
+
+
+		@AfterAll
+		public void tearDown() throws SQLException {
+			try (var c = dataSource.getConnection(); var s = c.createStatement()) {
+				s.execute("""
+						DELETE FROM "authority" WHERE "id" IN ('user997', 'user998', 'user999');
+						""");
+			}
+		}
+
+	}
+
 }
\ No newline at end of file
diff --git a/frontend/src/common/auditlog.ts b/frontend/src/common/auditlog.ts
index e6c83dcc..5ccdbdd9 100644
--- a/frontend/src/common/auditlog.ts
+++ b/frontend/src/common/auditlog.ts
@@ -3,32 +3,42 @@ import { Deferred, debounce } from './util';
 
 /* DTOs */
 
-export type AuditEventDto = {
+type AuditEventDtoBase = {
   id: number;
   timestamp: Date;
-  type: 'DEVICE_REGISTER' | 'DEVICE_REMOVE' | 'VAULT_CREATE' | 'VAULT_UPDATE' | 'VAULT_ACCESS_GRANT' | 'VAULT_KEY_RETRIEVE' | 'VAULT_MEMBER_ADD' | 'VAULT_MEMBER_REMOVE' | 'VAULT_MEMBER_UPDATE' | 'VAULT_OWNERSHIP_CLAIM';
 }
-
-export type AuditEventDeviceRegisterDto = AuditEventDto & {
+export type AuditEventDeviceRegisterDto = AuditEventDtoBase & {
+  type: 'DEVICE_REGISTER',
   registeredBy: string;
   deviceId: string;
   deviceName: string;
   deviceType: 'BROWSER' | 'DESKTOP' | 'MOBILE';
 }
 
-export type AuditEventDeviceRemoveDto = AuditEventDto & {
+export type AuditEventDeviceRemoveDto = AuditEventDtoBase & {
+  type: 'DEVICE_REMOVE',
   removedBy: string;
   deviceId: string;
 }
 
-export type AuditEventVaultCreateDto = AuditEventDto & {
+export type AuditEventSignedWotIdDto = AuditEventDtoBase & {
+  type: 'SIGN_WOT_ID',
+  userId: string;
+  signerId: string;
+  signerKey: string;
+  signature: string;
+}
+
+export type AuditEventVaultCreateDto = AuditEventDtoBase & {
+  type: 'VAULT_CREATE',
   createdBy: string;
   vaultId: string;
   vaultName: string;
   vaultDescription: string;
 }
 
-export type AuditEventVaultUpdateDto = AuditEventDto & {
+export type AuditEventVaultUpdateDto = AuditEventDtoBase & {
+  type: 'VAULT_UPDATE',
   updatedBy: string;
   vaultId: string;
   vaultName: string;
@@ -36,43 +46,51 @@ export type AuditEventVaultUpdateDto = AuditEventDto & {
   vaultArchived: boolean;
 }
 
-export type AuditEventVaultAccessGrantDto = AuditEventDto & {
+export type AuditEventVaultAccessGrantDto = AuditEventDtoBase & {
+  type: 'VAULT_ACCESS_GRANT',
   grantedBy: string;
   vaultId: string;
   authorityId: string;
 }
 
-export type AuditEventVaultKeyRetrieveDto = AuditEventDto & {
+export type AuditEventVaultKeyRetrieveDto = AuditEventDtoBase & {
+  type: 'VAULT_KEY_RETRIEVE',
   retrievedBy: string;
   vaultId: string;
   result: 'SUCCESS' | 'UNAUTHORIZED';
 }
 
-export type AuditEventVaultMemberAddDto = AuditEventDto & {
+export type AuditEventVaultMemberAddDto = AuditEventDtoBase & {
+  type: 'VAULT_MEMBER_ADD',
   addedBy: string;
   vaultId: string;
   authorityId: string;
   role: 'MEMBER' | 'OWNER';
 }
 
-export type AuditEventVaultMemberRemoveDto = AuditEventDto & {
+export type AuditEventVaultMemberRemoveDto = AuditEventDtoBase & {
+  type: 'VAULT_MEMBER_REMOVE',
   removedBy: string;
   vaultId: string;
   authorityId: string;
 }
 
-export type AuditEventVaultMemberUpdateDto = AuditEventDto & {
+export type AuditEventVaultMemberUpdateDto = AuditEventDtoBase & {
+  type: 'VAULT_MEMBER_UPDATE',
   updatedBy: string;
   vaultId: string;
   authorityId: string;
   role: 'MEMBER' | 'OWNER';
 }
 
-export type AuditEventVaultOwnershipClaimDto = AuditEventDto & {
+export type AuditEventVaultOwnershipClaimDto = AuditEventDtoBase & {
+  type: 'VAULT_OWNERSHIP_CLAIM',
   claimedBy: string;
   vaultId: string;
 }
 
+export type AuditEventDto = AuditEventDeviceRegisterDto | AuditEventDeviceRemoveDto | AuditEventSignedWotIdDto | AuditEventVaultCreateDto | AuditEventVaultUpdateDto | AuditEventVaultAccessGrantDto | AuditEventVaultKeyRetrieveDto | AuditEventVaultMemberAddDto | AuditEventVaultMemberRemoveDto | AuditEventVaultMemberUpdateDto | AuditEventVaultOwnershipClaimDto;
+
 /* Entity Cache */
 
 export class AuditLogEntityCache {
diff --git a/frontend/src/common/backend.ts b/frontend/src/common/backend.ts
index fb2072a4..b833e754 100644
--- a/frontend/src/common/backend.ts
+++ b/frontend/src/common/backend.ts
@@ -91,6 +91,11 @@ export type MemberDto = AuthorityDto & {
   role: VaultRole
 }
 
+export type TrustDto = {
+  trustedUserId: string,
+  signatureChain: string[]
+}
+
 export type BillingDto = {
   hubId: string;
   hasLicense: boolean;
@@ -107,6 +112,12 @@ export type VersionDto = {
   keycloakVersion: string;
 }
 
+export type SettingsDto = {
+  hubId: string,
+  wotMaxDepth: number,
+  wotIdVerifyLen: number
+}
+
 export class LicenseUserInfoDto {
   constructor(
     public licensedSeats: number,
@@ -245,6 +256,23 @@ class UserService {
   }
 }
 
+class TrustService {
+  public async trustUser(userId: string, signature: string): Promise<void> {
+    return axiosAuth.put(`/users/trusted/${userId}`, signature, { headers: { 'Content-Type': 'text/plain' } });
+  }
+  public async get(userId: string): Promise<TrustDto | undefined> {
+    return axiosAuth.get<TrustDto>(`/users/trusted/${userId}`).then(response => response.data)
+      .catch(e => {
+        if (e.response.status === 404) return undefined;
+        else throw e;
+      });
+  }
+
+  public async listTrusted(): Promise<TrustDto[]> {
+    return axiosAuth.get<TrustDto[]>('/users/trusted').then(response => response.data);
+  }
+}
+
 class AuthorityService {
   public async search(query: string): Promise<AuthorityDto[]> {
     return axiosAuth.get<AuthorityDto[]>(`/authorities/search?query=${query}`).then(response => response.data.map(AuthorityService.fillInMissingPicture));
@@ -333,17 +361,25 @@ class VersionService {
   }
 }
 
+class SettingsService {
+  public async get(): Promise<SettingsDto> {
+    return axiosAuth.get<SettingsDto>('/settings').then(response => response.data);
+  }
+}
+
 /**
  * Note: Each service can thrown an {@link UnauthorizedError} when the access token is expired!
  */
 const services = {
   vaults: new VaultService(),
   users: new UserService(),
+  trust: new TrustService(),
   authorities: new AuthorityService(),
   devices: new DeviceService(),
   billing: new BillingService(),
   version: new VersionService(),
-  license: new LicenseService()
+  license: new LicenseService(),
+  settings: new SettingsService()
 };
 
 export default services;
diff --git a/frontend/src/common/crypto.ts b/frontend/src/common/crypto.ts
index a2cc0d6f..351741ff 100644
--- a/frontend/src/common/crypto.ts
+++ b/frontend/src/common/crypto.ts
@@ -260,11 +260,13 @@ export class VaultKeys {
 }
 
 export class UserKeys {
-  public static readonly ECDH_KEY_USAGES: KeyUsage[] = ['deriveBits'];
+  public static readonly ECDH_PRIV_KEY_USAGES: KeyUsage[] = ['deriveBits'];
 
   public static readonly ECDH_KEY_DESIGNATION: EcKeyImportParams | EcKeyGenParams = { name: 'ECDH', namedCurve: 'P-384' };
 
-  public static readonly ECDSA_KEY_USAGES: KeyUsage[] = ['sign'];
+  public static readonly ECDSA_PRIV_KEY_USAGES: KeyUsage[] = ['sign'];
+
+  public static readonly ECDSA_PUB_KEY_USAGES: KeyUsage[] = ['verify'];
 
   public static readonly ECDSA_KEY_DESIGNATION: EcKeyImportParams | EcKeyGenParams = { name: 'ECDSA', namedCurve: 'P-384' };
 
@@ -276,8 +278,8 @@ export class UserKeys {
    * @returns A set of new user key pairs
    */
   public static async create(): Promise<UserKeys> {
-    const ecdhKeyPair = crypto.subtle.generateKey(UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_KEY_USAGES);
-    const ecdsaKeyPair = crypto.subtle.generateKey(UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_KEY_USAGES);
+    const ecdhKeyPair = crypto.subtle.generateKey(UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_PRIV_KEY_USAGES);
+    const ecdsaKeyPair = crypto.subtle.generateKey(UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_PRIV_KEY_USAGES);
     return new UserKeys(await ecdhKeyPair, await ecdsaKeyPair);
   }
 
@@ -311,17 +313,17 @@ export class UserKeys {
   private static async createFromJwe(jwe: UserKeyPayload, ecdhPublicKey: CryptoKey | BufferSource, ecdsaPublicKey?: CryptoKey | BufferSource): Promise<UserKeys> {
     const ecdhKeyPair: CryptoKeyPair = {
       publicKey: await asPublicKey(ecdhPublicKey, UserKeys.ECDH_KEY_DESIGNATION),
-      privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdhPrivateKey ?? jwe.key, { loose: true }), UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_KEY_USAGES)
+      privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdhPrivateKey ?? jwe.key, { loose: true }), UserKeys.ECDH_KEY_DESIGNATION, true, UserKeys.ECDH_PRIV_KEY_USAGES)
     };
     let ecdsaKeyPair: CryptoKeyPair;
     if (jwe.ecdsaPrivateKey && ecdsaPublicKey) {
       ecdsaKeyPair = {
-        publicKey: await asPublicKey(ecdsaPublicKey, UserKeys.ECDSA_KEY_DESIGNATION),
-        privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdsaPrivateKey, { loose: true }), UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_KEY_USAGES)
+        publicKey: await asPublicKey(ecdsaPublicKey, UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES),
+        privateKey: await crypto.subtle.importKey('pkcs8', base64.parse(jwe.ecdsaPrivateKey, { loose: true }), UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_PRIV_KEY_USAGES)
       };
     } else {
       // ECDSA key was added in Hub 1.4.0. If it's missing, we generate a new one.
-      ecdsaKeyPair = await crypto.subtle.generateKey(UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_KEY_USAGES);
+      ecdsaKeyPair = await crypto.subtle.generateKey(UserKeys.ECDSA_KEY_DESIGNATION, true, UserKeys.ECDSA_PRIV_KEY_USAGES);
     }
     return new UserKeys(ecdhKeyPair, ecdsaKeyPair);
   }
@@ -456,22 +458,40 @@ export class BrowserKeys {
   }
 }
 
-async function asPublicKey(publicKey: CryptoKey | BufferSource, keyDesignation: EcKeyImportParams): Promise<CryptoKey> {
+export async function asPublicKey(publicKey: CryptoKey | BufferSource, keyDesignation: EcKeyImportParams, keyUsages: KeyUsage[] = []): Promise<CryptoKey> {
   if (publicKey instanceof CryptoKey) {
     return publicKey;
   } else {
-    return await crypto.subtle.importKey('spki', publicKey, keyDesignation, true, []);
+    return await crypto.subtle.importKey('spki', publicKey, keyDesignation, true, keyUsages);
   }
 }
 
-export async function getFingerprint(key: string | undefined) {
-  if (key) {
-    const encodedKey = new TextEncoder().encode(key);
-    const hashBuffer = await crypto.subtle.digest('SHA-256', encodedKey);
-    const hashArray = Array.from(new Uint8Array(hashBuffer));
-    const hashHex = hashArray
-      .map((b) => b.toString(16).padStart(2, '0').toUpperCase())
-      .join('');
-    return hashHex;
+/**
+ * Computes the JWK Thumbprint (RFC 7638) using SHA-256.
+ * @param key A key to compute the thumbprint for
+ * @throws Error if the key is not supported
+ */
+export async function getJwkThumbprint(key: JsonWebKey | CryptoKey): Promise<Uint8Array> {
+  let jwk: JsonWebKey;
+  if (key instanceof CryptoKey) {
+    jwk = await crypto.subtle.exportKey('jwk', key);
+  } else {
+    jwk = key;
+  }
+  // see https://datatracker.ietf.org/doc/html/rfc7638#section-3.2
+  let orderedJson: string;
+  switch (jwk.kty) {
+    case 'EC':
+      orderedJson = `{"crv":"${jwk.crv}","kty":"${jwk.kty}","x":"${jwk.x}","y":"${jwk.y}"}`;
+      break;
+    case 'RSA':
+      orderedJson = `{"e":"${jwk.e}","kty":"${jwk.kty}","n":"${jwk.n}"}`;
+      break;
+    case 'oct':
+      orderedJson = `{"k":"${jwk.k}","kty":"${jwk.kty}"}`;
+      break;
+    default: throw new Error('Unsupported key type');
   }
+  const bytes = new TextEncoder().encode(orderedJson);
+  return new Uint8Array(await crypto.subtle.digest('SHA-256', bytes));
 }
diff --git a/frontend/src/common/jwt.ts b/frontend/src/common/jwt.ts
index 16979d94..f7a7d00a 100644
--- a/frontend/src/common/jwt.ts
+++ b/frontend/src/common/jwt.ts
@@ -4,11 +4,12 @@ export type JWTHeader = {
   alg: 'ES384';
   typ: 'JWT';
   b64: true;
+  [other: string]: undefined | string | number | boolean | object; // allow further properties
 }
 
 export class JWT {
   /**
-   * Creates a ES384 JWT (signed with ECDSA using P-384 and SHA-384).
+   * Creates an ES384 JWT (signed with ECDSA using P-384 and SHA-384).
    * 
    * See <a href="https://datatracker.ietf.org/doc/html/rfc7519">RFC 7519</a>,
    * <a href="https://datatracker.ietf.org/doc/html/rfc7515">RFC 7515</a> and
@@ -37,4 +38,41 @@ export class JWT {
     );
     return base64url.stringify(new Uint8Array(signature), { pad: false });
   }
+
+  /**
+   * Decodes and verifies an ES384 JWT (signed with ECDSA using P-384 and SHA-384).
+   * @param jwt 
+   * @param signerPublicKey 
+   * @returns header and payload
+   * @throws Error if the JWT is invalid
+   */
+  public static async parse(jwt: string, signerPublicKey: CryptoKey): Promise<[JWTHeader, any]> {
+    const [encodedHeader, encodedPayload, encodedSignature] = jwt.split('.');
+    const header: JWTHeader = JSON.parse(new TextDecoder().decode(base64url.parse(encodedHeader, { loose: true })));
+    if (header.alg !== 'ES384') {
+      throw new Error('Unsupported algorithm');
+    }
+    const validSignature = await this.es384verify(jwt, signerPublicKey);
+    if (!validSignature) {
+      throw new Error('Invalid signature');
+    }
+    const payload = JSON.parse(new TextDecoder().decode(base64url.parse(encodedPayload, { loose: true })));
+    return [header, payload];
+  }
+
+  // visible for testing
+  public static async es384verify(jwt: string, signerPublicKey: CryptoKey): Promise<boolean> {
+    const [encodedHeader, encodedPayload, encodedSignature] = jwt.split('.');
+    const headerAndPayload = new TextEncoder().encode(encodedHeader + '.' + encodedPayload);
+    const signature = base64url.parse(encodedSignature);
+    return window.crypto.subtle.verify(
+      {
+        name: 'ECDSA',
+        hash: { name: 'SHA-384' },
+      },
+      signerPublicKey,
+      signature,
+      headerAndPayload
+    );
+  }
 }
diff --git a/frontend/src/common/wot.ts b/frontend/src/common/wot.ts
new file mode 100644
index 00000000..dcf5fb67
--- /dev/null
+++ b/frontend/src/common/wot.ts
@@ -0,0 +1,101 @@
+import { base64 } from 'rfc4648';
+import backend, { TrustDto, UserDto } from './backend';
+import { UserKeys, asPublicKey, getJwkThumbprint } from './crypto';
+import { JWT, JWTHeader } from './jwt';
+import userdata from './userdata';
+
+export type SignedKeys = {
+  ecdhPublicKey: string;
+  ecdsaPublicKey: string;
+}
+
+function deeplyEqual(a: SignedKeys, b: SignedKeys) {
+  return a.ecdhPublicKey === b.ecdhPublicKey
+    && a.ecdsaPublicKey === b.ecdsaPublicKey;
+}
+
+/**
+ * Signs the public key of a user with my private key and sends the signature to the backend.
+ * @param user The user whose keys to sign
+ * @returns The new trust object created during the signing process
+ */
+async function sign(user: UserDto): Promise<TrustDto> {
+  if (!user.ecdhPublicKey || !user.ecdsaPublicKey) {
+    throw new Error('No public key to sign');
+  }
+  const toSign: SignedKeys = {
+    ecdhPublicKey: user.ecdhPublicKey,
+    ecdsaPublicKey: user.ecdsaPublicKey
+  };
+  const me = await userdata.me;
+  const userKeys = await userdata.decryptUserKeysWithBrowser();
+  const signature = await JWT.build({
+    alg: 'ES384',
+    typ: 'JWT',
+    b64: true,
+    iss: me.id,
+    sub: user.id,
+    iat: Math.floor(Date.now() / 1000)
+  }, toSign, userKeys.ecdsaKeyPair.privateKey);
+  await backend.trust.trustUser(user.id, signature);
+  const trust = await backend.trust.get(user.id);
+  return trust!;
+}
+
+/**
+ * Verifies a chain of signatures, where each signature signs the public key of the next signature.
+ * @param signatureChain The signature chain, where the first element is signed by me
+ * @param allegedSignedKey The public key that should be signed by the last signature in the chain
+ */
+async function verify(signatureChain: string[], allegedSignedKey: SignedKeys) {
+  let signerPublicKey = await userdata.decryptUserKeysWithBrowser().then(keys => keys.ecdsaKeyPair.publicKey);
+  await verifyRescursive(signatureChain, signerPublicKey, allegedSignedKey);
+}
+
+/**
+ * Recursively verifies a chain of signatures, where each signature signs the public key of the next signature.
+ * @param signatureChain The chain of signatures to verify
+ * @param signerPublicKey A trusted public key to verify the first signature in the chain
+ * @param allegedSignedKey The public key that should be signed by the last signature in the chain
+ * @throws Error if the signature chain is invalid
+ */
+async function verifyRescursive(signatureChain: string[], signerPublicKey: CryptoKey, allegedSignedKey: SignedKeys) {
+  // get first element of signature chain:
+  const [signature, ...remainingChain] = signatureChain;
+  const [_, signedKeys] = await JWT.parse(signature, signerPublicKey) as [JWTHeader, SignedKeys];
+  if (remainingChain.length === 0) {
+    // last element in chain should match signed public key
+    if (!deeplyEqual(signedKeys, allegedSignedKey)) {
+      throw new Error('Alleged public key does not match signed public key');
+    }
+  } else {
+    // otherwise, the payload is an intermediate public key used to sign the next element
+    const nextTrustedPublicKey = await asPublicKey(base64.parse(signedKeys.ecdsaPublicKey), UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
+    await verifyRescursive(remainingChain, nextTrustedPublicKey, allegedSignedKey);
+  }
+}
+
+/**
+ * Creates a unique fingerprint for a user by hashing the concatenated thumbprints of their public keys.
+ * @param user The user whose fingerprint to compute
+ * @returns Hexadecimal representation of the fingerprint
+ */
+async function computeFingerprint(user: { ecdhPublicKey?: string; ecdsaPublicKey?: string }) {
+  if (!user.ecdhPublicKey || !user.ecdsaPublicKey) {
+    throw new Error('User has no public keys');
+  }
+  const ecdhPublicKey = await asPublicKey(base64.parse(user.ecdhPublicKey), UserKeys.ECDH_KEY_DESIGNATION);
+  const ecdsaPublicKey = await asPublicKey(base64.parse(user.ecdsaPublicKey), UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
+  const concatenatedThumbprints = new Uint8Array([
+    ...await getJwkThumbprint(ecdhPublicKey),
+    ...await getJwkThumbprint(ecdsaPublicKey)
+  ]);
+  const digest = await crypto.subtle.digest('SHA-256', concatenatedThumbprints);
+  const digestBytes = Array.from(new Uint8Array(digest));
+  const digestHexStr = digestBytes
+    .map((b) => b.toString(16).padStart(2, '0').toUpperCase())
+    .join('');
+  return digestHexStr;
+}
+
+export default { sign, verify, computeFingerprint };
diff --git a/frontend/src/components/AuditLog.vue b/frontend/src/components/AuditLog.vue
index 22337126..1f1ed11f 100644
--- a/frontend/src/components/AuditLog.vue
+++ b/frontend/src/components/AuditLog.vue
@@ -101,16 +101,17 @@
                   <td class="whitespace-nowrap py-4 pl-4 pr-3 text-sm text-gray-500 sm:pl-6">
                     <code>{{ auditEvent.timestamp.toLocaleString('sv') }}</code>
                   </td>
-                  <AuditLogDetailsDeviceRegister v-if="auditEvent.type == 'DEVICE_REGISTER'" :event="(auditEvent as AuditEventDeviceRegisterDto)" />
-                  <AuditLogDetailsDeviceRemove v-else-if="auditEvent.type == 'DEVICE_REMOVE'" :event="(auditEvent as AuditEventDeviceRemoveDto)" />
-                  <AuditLogDetailsVaultCreate v-else-if="auditEvent.type == 'VAULT_CREATE'" :event="(auditEvent as AuditEventVaultCreateDto)" />
-                  <AuditLogDetailsVaultUpdate v-else-if="auditEvent.type == 'VAULT_UPDATE'" :event="(auditEvent as AuditEventVaultUpdateDto)" />
-                  <AuditLogDetailsVaultAccessGrant v-else-if="auditEvent.type == 'VAULT_ACCESS_GRANT'" :event="(auditEvent as AuditEventVaultAccessGrantDto)" />
-                  <AuditLogDetailsVaultKeyRetrieve v-else-if="auditEvent.type == 'VAULT_KEY_RETRIEVE'" :event="(auditEvent as AuditEventVaultKeyRetrieveDto)" />
-                  <AuditLogDetailsVaultMemberAdd v-else-if="auditEvent.type == 'VAULT_MEMBER_ADD'" :event="(auditEvent as AuditEventVaultMemberAddDto)" />
-                  <AuditLogDetailsVaultMemberRemove v-else-if="auditEvent.type == 'VAULT_MEMBER_REMOVE'" :event="(auditEvent as AuditEventVaultMemberRemoveDto)" />
-                  <AuditLogDetailsVaultMemberUpdate v-else-if="auditEvent.type == 'VAULT_MEMBER_UPDATE'" :event="(auditEvent as AuditEventVaultMemberUpdateDto)" />
-                  <AuditLogDetailsVaultOwnershipClaim v-else-if="auditEvent.type == 'VAULT_OWNERSHIP_CLAIM'" :event="(auditEvent as AuditEventVaultOwnershipClaimDto)" />
+                  <AuditLogDetailsDeviceRegister v-if="auditEvent.type == 'DEVICE_REGISTER'" :event="auditEvent" />
+                  <AuditLogDetailsDeviceRemove v-else-if="auditEvent.type == 'DEVICE_REMOVE'" :event="auditEvent" />
+                  <AuditLogDetailsSignedWotId v-else-if="auditEvent.type == 'SIGN_WOT_ID'" :event="auditEvent" />
+                  <AuditLogDetailsVaultCreate v-else-if="auditEvent.type == 'VAULT_CREATE'" :event="auditEvent" />
+                  <AuditLogDetailsVaultUpdate v-else-if="auditEvent.type == 'VAULT_UPDATE'" :event="auditEvent" />
+                  <AuditLogDetailsVaultAccessGrant v-else-if="auditEvent.type == 'VAULT_ACCESS_GRANT'" :event="auditEvent" />
+                  <AuditLogDetailsVaultKeyRetrieve v-else-if="auditEvent.type == 'VAULT_KEY_RETRIEVE'" :event="auditEvent" />
+                  <AuditLogDetailsVaultMemberAdd v-else-if="auditEvent.type == 'VAULT_MEMBER_ADD'" :event="auditEvent" />
+                  <AuditLogDetailsVaultMemberRemove v-else-if="auditEvent.type == 'VAULT_MEMBER_REMOVE'" :event="auditEvent" />
+                  <AuditLogDetailsVaultMemberUpdate v-else-if="auditEvent.type == 'VAULT_MEMBER_UPDATE'" :event="auditEvent" />
+                  <AuditLogDetailsVaultOwnershipClaim v-else-if="auditEvent.type == 'VAULT_OWNERSHIP_CLAIM'" :event="auditEvent" />
                 </tr>
               </tbody>
               <tfoot class="bg-gray-50">
@@ -164,10 +165,11 @@ import { ChevronDownIcon } from '@heroicons/vue/20/solid';
 import { CheckIcon, ChevronUpDownIcon, WrenchIcon } from '@heroicons/vue/24/solid';
 import { computed, onMounted, ref, watch } from 'vue';
 import { useI18n } from 'vue-i18n';
-import auditlog, { AuditEventDeviceRegisterDto, AuditEventDeviceRemoveDto, AuditEventDto, AuditEventVaultAccessGrantDto, AuditEventVaultCreateDto, AuditEventVaultKeyRetrieveDto, AuditEventVaultMemberAddDto, AuditEventVaultMemberRemoveDto, AuditEventVaultMemberUpdateDto, AuditEventVaultOwnershipClaimDto, AuditEventVaultUpdateDto } from '../common/auditlog';
+import auditlog, { AuditEventDto } from '../common/auditlog';
 import { PaymentRequiredError } from '../common/backend';
 import AuditLogDetailsDeviceRegister from './AuditLogDetailsDeviceRegister.vue';
 import AuditLogDetailsDeviceRemove from './AuditLogDetailsDeviceRemove.vue';
+import AuditLogDetailsSignedWotId from './AuditLogDetailsSignedWotId.vue';
 import AuditLogDetailsVaultAccessGrant from './AuditLogDetailsVaultAccessGrant.vue';
 import AuditLogDetailsVaultCreate from './AuditLogDetailsVaultCreate.vue';
 import AuditLogDetailsVaultKeyRetrieve from './AuditLogDetailsVaultKeyRetrieve.vue';
diff --git a/frontend/src/components/AuditLogDetailsSignedWotId.vue b/frontend/src/components/AuditLogDetailsSignedWotId.vue
new file mode 100644
index 00000000..a537e6fa
--- /dev/null
+++ b/frontend/src/components/AuditLogDetailsSignedWotId.vue
@@ -0,0 +1,95 @@
+<template>
+  <td class="whitespace-nowrap px-3 py-4 text-sm font-medium text-gray-900">
+    {{ t('auditLog.details.wot.signedIdentity') }}
+  </td>
+  <td class="whitespace-nowrap py-4 pl-3 pr-4 sm:pr-6">
+    <dl class="flex flex-col gap-2">
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>signer</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedSigner">{{ resolvedSigner.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedSigner != null}">{{ event.signerId }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>identity</code>
+        </dt>
+        <dd class="flex items-baseline gap-2 text-sm text-gray-900">
+          <span v-if="resolvedUser">{{ resolvedUser.name }}</span>
+          <code class="text-xs" :class="{'text-gray-600': resolvedUser != null}">{{ event.userId }}</code>
+        </dd>
+      </div>
+      <div class="flex items-baseline gap-2">
+        <dt class="text-xs text-gray-500">
+          <code>signature</code>
+        </dt>
+        <dd class="text-sm text-gray-900">
+          <span v-if="signatureStatus === SignatureStatus.STILL_VALID" class="text-primary">still valid</span>
+          <span v-else-if="signatureStatus === SignatureStatus.SIGNER_KEY_CHANGED" class="text-amber-500">was valid; signer key changed by now</span>
+          <span v-else-if="signatureStatus === SignatureStatus.SIGNED_KEY_CHANGED" class="text-amber-500">was valid; signed key changed by now</span>
+          <span v-else class="text-red-600">invalid</span>
+        </dd>
+      </div>
+    </dl>
+  </td>
+</template>
+
+<script setup lang="ts">
+import { base64 } from 'rfc4648';
+import { onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import auditlog, { AuditEventSignedWotIdDto } from '../common/auditlog';
+import { UserDto } from '../common/backend';
+import { UserKeys, asPublicKey } from '../common/crypto';
+import { JWT, JWTHeader } from '../common/jwt';
+import wot, { SignedKeys } from '../common/wot';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  event: AuditEventSignedWotIdDto
+}>();
+
+enum SignatureStatus {
+  STILL_VALID,
+  SIGNER_KEY_CHANGED,
+  SIGNED_KEY_CHANGED,
+  INVALID
+}
+
+const resolvedUser = ref<UserDto>();
+const resolvedSigner = ref<UserDto>();
+const signatureStatus = ref<SignatureStatus>(SignatureStatus.INVALID);
+const signedFingerprint = ref<string>();
+const currentFingerprint = ref<string>();
+
+onMounted(async () => {
+  const trustedUser = await auditlog.entityCache.getAuthority(props.event.userId) as UserDto;
+  const signingUser = await auditlog.entityCache.getAuthority(props.event.signerId) as UserDto;
+
+  if (trustedUser) {
+    currentFingerprint.value = await wot.computeFingerprint(trustedUser);
+  }
+
+  try {
+    const signerPublicKey = await asPublicKey(base64.parse(props.event.signerKey), UserKeys.ECDSA_KEY_DESIGNATION, UserKeys.ECDSA_PUB_KEY_USAGES);
+    const [_, signedKeys] = await JWT.parse(props.event.signature, signerPublicKey) as [JWTHeader, SignedKeys];
+    signedFingerprint.value = await wot.computeFingerprint({ecdhPublicKey: signedKeys.ecdhPublicKey, ecdsaPublicKey: signedKeys.ecdsaPublicKey});
+    if (props.event.signerKey === signingUser?.ecdsaPublicKey && signedFingerprint.value === currentFingerprint.value) {
+      signatureStatus.value = SignatureStatus.STILL_VALID;
+    } else if (props.event.signerKey !== signingUser?.ecdsaPublicKey) {
+      signatureStatus.value = SignatureStatus.SIGNER_KEY_CHANGED;
+    } else if (signedFingerprint.value !== currentFingerprint.value) {
+      signatureStatus.value = SignatureStatus.SIGNED_KEY_CHANGED;
+    }
+  } catch (e) {
+    signatureStatus.value = SignatureStatus.INVALID;
+  } finally {
+    resolvedUser.value = trustedUser;
+    resolvedSigner.value = signingUser;
+  }
+});
+</script>
diff --git a/frontend/src/components/GrantPermissionDialog.vue b/frontend/src/components/GrantPermissionDialog.vue
index a5967f10..224d7189 100644
--- a/frontend/src/components/GrantPermissionDialog.vue
+++ b/frontend/src/components/GrantPermissionDialog.vue
@@ -9,39 +9,37 @@
         <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
           <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
             <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg">
-              <form novalidate @submit.prevent="grantAccess" >
-                <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
-                  <div class="sm:flex sm:items-start">
-                    <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
-                      <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+              <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                <div class="sm:flex sm:items-start">
+                  <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-red-100 sm:mx-0 sm:h-10 sm:w-10">
+                    <ExclamationTriangleIcon class="h-6 w-6 text-red-600" aria-hidden="true" />
+                  </div>
+                  <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                    <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                      {{ t('grantPermissionDialog.title') }}
+                    </DialogTitle>
+                    <div class="mt-2">
+                      <p class="text-sm text-gray-500">
+                        {{ t('grantPermissionDialog.description') }}
+                      </p>
                     </div>
-                    <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
-                      <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
-                        {{ t('grantPermissionDialog.title') }}
-                      </DialogTitle>
-                      <div class="mt-2">
-                        <p class="text-sm text-gray-500">
-                          {{ t('grantPermissionDialog.description') }}
-                        </p>
-                      </div>
-                      <div class="mt-2 h-48 overflow-y-auto">
-                        <ul class="mt-2 border-t border-b border-gray-200 divide-y divide-gray-200">
-                          <template v-for="member in users.values()" :key="member.id">
-                            <li class="py-3 flex flex-col">
-                              <div class="flex justify-between items-center">
-                                <div class="flex items-center" :title="userKeyFingerprints.get(member.id)">
-                                  <img :src="member.pictureUrl" alt="" class="w-8 h-8 rounded-full" />
-                                  <p class="ml-4 text-sm font-medium text-gray-900">{{ member.name }}</p>
-                                  <p class="ml-3 inline-flex items-center rounded-md bg-gray-50 px-2 py-1 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10">{{ userKeyFingerprints.get(member.id)?.substring(0, 8) }}</p>
-                                </div>
-                              </div>
-                            </li>
-                          </template>
-                        </ul>
-                      </div>
+                    <div class="mt-2 h-48 overflow-y-auto">
+                      <ul class="mt-2 border-t border-b border-gray-200 divide-y divide-gray-200">
+                        <template v-for="member in users.values()" :key="member.id">
+                          <li class="py-3 flex flex-col">
+                            <div class="flex items-center whitespace-nowrap w-full">
+                              <img :src="member.pictureUrl" alt="" class="w-8 h-8 rounded-full" />
+                              <p class="ml-4 text-sm font-medium text-gray-900 w-full">{{ member.name }}</p>
+                              <TrustDetails v-if="member.type === 'USER'" :trusted-user="member" :trusts="trusts" @trust-changed="refreshTrusts()"/>
+                            </div>
+                          </li>
+                        </template>
+                      </ul>
                     </div>
                   </div>
                 </div>
+              </div>
+              <form novalidate @submit.prevent="grantAccess">
                 <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
                   <button type="submit" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-sm px-4 py-2 bg-red-600 text-base font-medium text-white hover:bg-red-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-red-500 sm:ml-3 sm:w-auto sm:text-sm" >
                     {{ t('grantPermissionDialog.submit', [users.length]) }}
@@ -71,13 +69,15 @@ import { ExclamationTriangleIcon } from '@heroicons/vue/24/outline';
 import { base64 } from 'rfc4648';
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import backend, { AccessGrant, ConflictError, NotFoundError, UserDto, VaultDto } from '../common/backend';
-import { VaultKeys, getFingerprint } from '../common/crypto';
+import backend, { AccessGrant, ConflictError, NotFoundError, TrustDto, UserDto, VaultDto } from '../common/backend';
+import { VaultKeys } from '../common/crypto';
+import TrustDetails from './TrustDetails.vue';
+
 
 const { t } = useI18n({ useScope: 'global' });
 
 const open = ref(false);
-
+const trusts = ref<TrustDto[]>([]);
 const onGrantPermissionError = ref<Error | null>();
 
 const props = defineProps<{
@@ -95,14 +95,14 @@ defineExpose({
   show
 });
 
-const userKeyFingerprints = ref<Map<string, string | undefined>>(new Map());
-
 onMounted(fetchData);
 
 async function fetchData() {
-  for (const user of props.users) {
-    userKeyFingerprints.value.set(user.id, await getFingerprint(user.ecdhPublicKey));
-  }
+  await refreshTrusts();
+}
+
+async function refreshTrusts() {
+  trusts.value = await backend.trust.listTrusted();
 }
 
 function show() {
diff --git a/frontend/src/components/SignUserKeysDialog.vue b/frontend/src/components/SignUserKeysDialog.vue
new file mode 100644
index 00000000..ee1399ad
--- /dev/null
+++ b/frontend/src/components/SignUserKeysDialog.vue
@@ -0,0 +1,123 @@
+<template>
+  <TransitionRoot as="template" :show="open" @after-leave="$emit('close')">
+    <Dialog as="div" class="fixed z-10 inset-0 overflow-y-auto" @close="open = false">
+      <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0" enter-to="opacity-100" leave="ease-in duration-200" leave-from="opacity-100" leave-to="opacity-0">
+        <DialogOverlay class="fixed inset-0 bg-gray-500 bg-opacity-75 transition-opacity" />
+      </TransitionChild>
+
+      <div class="fixed inset-0 z-10 overflow-y-auto">
+        <div class="flex min-h-full items-end justify-center p-4 text-center sm:items-center sm:p-0">
+          <TransitionChild as="template" enter="ease-out duration-300" enter-from="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95" enter-to="opacity-100 translate-y-0 sm:scale-100" leave="ease-in duration-200" leave-from="opacity-100 translate-y-0 sm:scale-100" leave-to="opacity-0 translate-y-4 sm:translate-y-0 sm:scale-95">
+            <DialogPanel class="relative transform overflow-hidden rounded-lg bg-white text-left shadow-xl transition-all sm:my-8 sm:w-full sm:max-w-lg">
+              <form novalidate @submit.prevent="sign" >
+                <div class="bg-white px-4 pt-5 pb-4 sm:p-6 sm:pb-4">
+                  <div class="sm:flex sm:items-start">
+                    <div class="mx-auto shrink-0 flex items-center justify-center h-12 w-12 rounded-full bg-primary-l2 sm:mx-0 sm:h-10 sm:w-10">
+                      <IdentificationIcon class="h-6 w-6 text-primary" aria-hidden="true" />
+                    </div>
+                    <div class="mt-3 grow text-center sm:mt-0 sm:ml-4 sm:text-left">
+                      <DialogTitle as="h3" class="text-lg leading-6 font-medium text-gray-900">
+                        {{ t('signUserKeysDialog.title', [user.name]) }}
+                      </DialogTitle>
+                      <div class="mt-2 text-sm text-gray-500">
+                        <p>
+                          {{ t('signUserKeysDialog.description', [minVerificationLen, user.name]) }}
+                        </p>
+                      </div>
+                      <div class="my-2">
+                        <label for="fingerprint" class="block text-sm font-medium leading-6 text-gray-900">Fingerprint</label>
+                        <div class="relative mt-2 rounded-md shadow-sm">
+                          <input type="text" name="fingerprint" v-model="enteredFingerprint" :readonly="minVerificationLen === 0" @keyup="tryAutocomplete()" id="fingerprint" class="block w-full rounded-md border-0 py-1.5 pr-10 text-gray-900 ring-1 ring-inset ring-gray-300 focus:ring-2 focus:ring-inset focus:ring-primary text-sm sm:leading-6" />
+                          <div class="pointer-events-none absolute inset-y-0 right-0 flex items-center pr-3">
+                            <CheckIcon class="h-5 w-5 text-primary" aria-hidden="true" v-if="fingerprintMatches"/>
+                          </div>
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+                <div class="bg-gray-50 px-4 py-3 sm:px-6 sm:flex sm:flex-row-reverse">
+                  <button type="submit" :disabled="!fingerprintMatches" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-sm px-4 py-2 bg-primary text-base font-medium text-white hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:ml-3 sm:w-auto sm:text-sm disabled:opacity-50 disabled:hover:bg-primary disabled:cursor-not-allowed" >
+                    {{ t('signUserKeysDialog.submit') }}
+                  </button>
+                  <button type="button" class="mt-3 w-full inline-flex justify-center rounded-md border border-gray-300 shadow-sm px-4 py-2 bg-white text-base font-medium text-gray-700 hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:mt-0 sm:ml-3 sm:w-auto sm:text-sm" @click="open = false">
+                    {{ t('common.cancel') }}
+                  </button>
+                </div>
+                <p v-if="onSignError != null" class="text-sm text-red-900 px-4 sm:px-6 text-right bg-red-50">
+                  {{ t('common.unexpectedError', [onSignError.message]) }}
+                </p>
+              </form>
+            </DialogPanel>
+          </TransitionChild>
+        </div>
+      </div>
+    </Dialog>
+  </TransitionRoot>
+</template>
+
+<script setup lang="ts">
+import { Dialog, DialogOverlay, DialogPanel, DialogTitle, TransitionChild, TransitionRoot } from '@headlessui/vue';
+import { CheckIcon, IdentificationIcon } from '@heroicons/vue/24/outline';
+import { computed, onMounted, ref } from 'vue';
+import { useI18n } from 'vue-i18n';
+import backend, { TrustDto, UserDto } from '../common/backend';
+import wot from '../common/wot';
+
+const { t } = useI18n({ useScope: 'global' });
+
+const open = ref(false);
+
+const props = defineProps<{
+  user: UserDto
+  trust?: TrustDto
+}>();
+
+const emit = defineEmits<{
+  close: []
+  signed: [TrustDto]
+}>();
+
+defineExpose({
+  show
+});
+
+const onSignError = ref<Error | null>();
+const expectedFingerprint = ref<string>();
+const enteredFingerprint = ref<string>('');
+const minVerificationLen = ref<number>(64); // default: check all 64 hex digits of 256 bit fingerprint
+const fingerprintMatches = computed(() => enteredFingerprint.value?.replaceAll(' ', '') === expectedFingerprint.value);
+
+onMounted(fetchData);
+
+async function fetchData() {
+  expectedFingerprint.value = await wot.computeFingerprint(props.user);
+  minVerificationLen.value = (await backend.settings.get()).wotIdVerifyLen;
+  if (minVerificationLen.value === 0) {
+    enteredFingerprint.value = expectedFingerprint.value.replace(/.{8}/g, "$&" + " ").trim();
+  }
+}
+
+function show() {
+  open.value = true;
+}
+
+async function tryAutocomplete() {
+  if (enteredFingerprint.value.length >= minVerificationLen.value) {
+    if (expectedFingerprint.value?.startsWith(enteredFingerprint.value)) {
+      enteredFingerprint.value = expectedFingerprint.value.replace(/.{8}/g, "$&" + " ").trim();
+    }
+  }
+}
+
+async function sign() {
+  try {
+    const newTrust = await wot.sign(props.user);
+    emit('signed', newTrust);
+    open.value = false;
+  } catch (error) {
+    onSignError.value = error;
+  }
+}
+
+</script>
diff --git a/frontend/src/components/TrustDetails.vue b/frontend/src/components/TrustDetails.vue
new file mode 100644
index 00000000..e14f5c6e
--- /dev/null
+++ b/frontend/src/components/TrustDetails.vue
@@ -0,0 +1,78 @@
+<template>
+  <Popover as="div" class="relative inline-block text-left overflow-visible">
+    <PopoverButton class="inline-flex items-center bg-gray-50 ring-1 ring-inset ring-gray-500/10 mx-1 p-1 rounded-full focus:outline-none focus:ring-primary">
+      <ShieldExclamationIcon v-if="trustLevel === -1" class="h-4 w-4 text-red-500" aria-label="Unverified" />
+      <ShieldCheckIcon v-else class="h-4 w-4 text-primary" aria-label="Verified" />
+    </PopoverButton>
+
+    <transition enter-active-class="transition ease-out duration-100" enter-from-class="transform opacity-0 scale-95" enter-to-class="transform opacity-100 scale-100" leave-active-class="transition ease-in duration-75" leave-from-class="transform opacity-100 scale-100" leave-to-class="transform opacity-0 scale-95">
+        <PopoverPanel class="absolute right-0 z-10 mt-2 origin-top-right rounded-md bg-white p-4 shadow-2xl ring-1 ring-black ring-opacity-5 focus:outline-none">
+          <p v-if="trustLevel === -1" class="text-sm mb-2">{{ t('trustDetails.trustLevel.untrusted') }}</p>
+          <p v-else-if="trustLevel === 0" class="text-sm mb-2">{{ t('trustDetails.trustLevel', [ n(1, 'percent')]) }}</p>
+          <p v-else-if="trustLevel > 0" class="text-sm mb-2">{{ t('trustDetails.trustLevel', [ n(1 / trustLevel, 'percent')]) }}</p>
+          <button v-if="trustLevel !== 0 && trustedUser.ecdhPublicKey && trustedUser.ecdsaPublicKey" @click="showSignUserKeysDialog()" class="w-full inline-flex justify-center rounded-md border border-transparent shadow-sm px-4 py-2 bg-primary text-base font-medium text-white hover:bg-primary-d1 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary sm:w-auto sm:text-sm">
+            {{ t('trustDetails.showSignDialogBtn') }}
+          </button>
+          <p v-if="!trustedUser.ecdhPublicKey || !trustedUser.ecdsaPublicKey" class="text-sm mb-2">{{ t('trustDetails.userNotSetUp') }}</p>
+        </PopoverPanel>
+    </transition>
+  </Popover>
+
+  <SignUserKeysDialog v-if="signingUserKeys" ref="signUserKeysDialog" :user="trustedUser" :trust="trust" @close="signingUserKeys = false" @signed="successfullySigned" />
+</template>
+
+<script setup lang="ts">
+import { Popover, PopoverButton, PopoverPanel } from '@headlessui/vue';
+import { ShieldCheckIcon, ShieldExclamationIcon } from '@heroicons/vue/20/solid';
+import { computed, nextTick, ref, watch } from 'vue';
+import { useI18n } from 'vue-i18n';
+import { TrustDto, UserDto } from '../common/backend';
+import userdata from '../common/userdata';
+import wot from '../common/wot';
+import SignUserKeysDialog from './SignUserKeysDialog.vue';
+
+const { t, n } = useI18n({ useScope: 'global' });
+
+const props = defineProps<{
+  trustedUser: UserDto,
+  trusts: TrustDto[]
+}>();
+
+const emit = defineEmits<{
+  trustChanged: [TrustDto]
+}>();
+
+const signUserKeysDialog = ref<typeof SignUserKeysDialog>();
+const signingUserKeys = ref<boolean>(false);
+const trust = computed(() => props.trusts.find(trust => trust.trustedUserId === props.trustedUser.id));
+const trustLevel = ref<number>(-1);
+
+watch(trust, computeTrustLevel, { immediate: true });
+
+async function computeTrustLevel(trust?: TrustDto) {
+  const me = await userdata.me;
+  if (me.id === props.trustedUser.id) {
+    trustLevel.value = 0; // Self
+  } else if (trust && props.trustedUser.ecdhPublicKey && props.trustedUser.ecdsaPublicKey) {
+    try {
+      await wot.verify(trust.signatureChain, { ecdhPublicKey: props.trustedUser.ecdhPublicKey, ecdsaPublicKey: props.trustedUser.ecdsaPublicKey });
+      trustLevel.value = trust.signatureChain.length;
+    } catch (error) {
+      console.error('WoT signature verification failed.', error);
+      trustLevel.value = -1; // Unverified
+    }
+  } else {
+    trustLevel.value = -1; // Unverified
+  }
+}
+
+function showSignUserKeysDialog() {
+  signingUserKeys.value = true;
+  nextTick(() => signUserKeysDialog.value?.show());
+}
+
+function successfullySigned(newTrust: TrustDto) {
+  emit('trustChanged', newTrust);
+}
+
+</script>
\ No newline at end of file
diff --git a/frontend/src/components/UserProfile.vue b/frontend/src/components/UserProfile.vue
index 7aeb5a14..7e8b256a 100644
--- a/frontend/src/components/UserProfile.vue
+++ b/frontend/src/components/UserProfile.vue
@@ -54,7 +54,7 @@
       <div class="grid grid-cols-1 gap-8 lg:col-span-3">
         <ManageSetupCode />
         <DeviceList />
-        <UserkeyFingerprint :user-public-key="me.ecdhPublicKey"/>
+        <UserkeyFingerprint :user="me"/>
       </div>
     </div>
   </div>
diff --git a/frontend/src/components/UserkeyFingerprint.vue b/frontend/src/components/UserkeyFingerprint.vue
index 43afcf73..bbbc41ef 100644
--- a/frontend/src/components/UserkeyFingerprint.vue
+++ b/frontend/src/components/UserkeyFingerprint.vue
@@ -20,20 +20,22 @@
 <script setup lang="ts">
 import { onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
-import { getFingerprint } from '../common/crypto';
+import { UserDto } from '../common/backend';
+import wot from '../common/wot';
 
 const { t } = useI18n({ useScope: 'global' });
 
 const keyFingerprint = ref<string | undefined>();
 
 const props = defineProps<{
-  userPublicKey?: string
+  user: UserDto
 }>();
 
 onMounted(fetchData);
 
 async function fetchData() {
-  keyFingerprint.value = await getFingerprint(props.userPublicKey).then((key) => key?.replace(/.{8}/g, "$&" + " "))
+  const fingerprint = await wot.computeFingerprint(props.user);
+  keyFingerprint.value = fingerprint?.replace(/.{8}/g, "$&" + " ").trim(); // Add space after every 8 characters
 }
 
 </script>
diff --git a/frontend/src/components/VaultDetails.vue b/frontend/src/components/VaultDetails.vue
index fbf5970b..abcdb3ce 100644
--- a/frontend/src/components/VaultDetails.vue
+++ b/frontend/src/components/VaultDetails.vue
@@ -44,9 +44,10 @@
           <template v-for="member in members.values()" :key="member.id">
             <li class="py-3 flex flex-col">
               <div class="flex justify-between items-center">
-                <div class="flex items-center text-ellipsis whitespace-nowrap overflow-hidden" :title="member.name">
+                <div class="flex items-center whitespace-nowrap w-full" :title="member.name">
                   <img :src="member.pictureUrl" alt="" class="w-8 h-8 rounded-full" />
                   <p class="w-full ml-4 text-sm font-medium text-gray-900 truncate">{{ member.name }}</p>
+                  <TrustDetails v-if="member.type === 'USER'" :trusted-user="member" :trusts="trusts" @trust-changed="refreshTrusts()"/>
                   <div v-if="member.role == 'OWNER'" class="ml-3 inline-flex items-center rounded-md bg-gray-50 px-2 py-1 text-xs font-medium text-gray-600 ring-1 ring-inset ring-gray-500/10">{{ t('vaultDetails.sharedWith.badge.owner') }}</div>
                 </div>
                 <Menu v-if="member.id != me?.id" as="div" class="relative ml-2 inline-block flex-shrink-0 text-left">
@@ -212,7 +213,7 @@ import { PlusSmallIcon } from '@heroicons/vue/24/solid';
 import { computed, nextTick, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import auth from '../common/auth';
-import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, UserDto, VaultDto, VaultRole } from '../common/backend';
+import backend, { AuthorityDto, ConflictError, ForbiddenError, LicenseUserInfoDto, MemberDto, NotFoundError, PaymentRequiredError, TrustDto, UserDto, VaultDto, VaultRole } from '../common/backend';
 import { VaultKeys } from '../common/crypto';
 import { JWT, JWTHeader } from '../common/jwt';
 import userdata from '../common/userdata';
@@ -226,6 +227,7 @@ import GrantPermissionDialog from './GrantPermissionDialog.vue';
 import ReactivateVaultDialog from './ReactivateVaultDialog.vue';
 import RecoverVaultDialog from './RecoverVaultDialog.vue';
 import SearchInputGroup from './SearchInputGroup.vue';
+import TrustDetails from './TrustDetails.vue';
 
 const { t, d } = useI18n({ useScope: 'global' });
 
@@ -264,6 +266,7 @@ const recoverVaultDialog = ref<typeof RecoverVaultDialog>();
 const vault = ref<VaultDto>();
 const vaultKeys = ref<VaultKeys>();
 const members = ref<Map<string, MemberDto>>(new Map());
+const trusts = ref<TrustDto[]>([]);
 const usersRequiringAccessGrant = ref<UserDto[]>([]);
 const claimVaultOwnershipDialog = ref<typeof ClaimVaultOwnershipDialog>();
 const claimingVaultOwnership = ref(false);
@@ -296,6 +299,7 @@ async function fetchData() {
 async function fetchOwnerData() {
   try {
     (await backend.vaults.getMembers(props.vaultId)).forEach(member => members.value.set(member.id, member));
+    await refreshTrusts();
     usersRequiringAccessGrant.value = await backend.vaults.getUsersRequiringAccessGrant(props.vaultId);
     vaultRecoveryRequired.value = false;
     const vaultKeyJwe = await backend.vaults.accessToken(props.vaultId, true);
@@ -447,6 +451,10 @@ function permissionGranted() {
   usersRequiringAccessGrant.value = [];
 }
 
+async function refreshTrusts() {
+  trusts.value = await backend.trust.listTrusted();
+}
+
 async function refreshLicense() {
   license.value = await backend.license.getUserInfo();
   emit('licenseStatusUpdated', license.value);
diff --git a/frontend/src/i18n/de-DE.json b/frontend/src/i18n/de-DE.json
index cf9a49d1..bf4c366e 100644
--- a/frontend/src/i18n/de-DE.json
+++ b/frontend/src/i18n/de-DE.json
@@ -67,6 +67,7 @@
   "auditLog.details": "Details",
   "auditLog.details.device.register": "Gerät registrieren",
   "auditLog.details.device.remove": "Gerät entfernen",
+  "auditLog.details.wot.signedIdentity": "Identität beglaubigt",
   "auditLog.details.vault.create": "Tresor erstellen",
   "auditLog.details.vault.update": "Tresor aktualisieren",
   "auditLog.details.vaultAccess.grant": "Tresor-Zugriff gewähren",
@@ -135,6 +136,15 @@
   "grantPermissionDialog.description": "Tresor-Schlüssel mit neu hinzugefügten Nutzern teilen.",
   "grantPermissionDialog.submit": "Berechtigung für {0} Nutzer gewähren",
 
+  "trustDetails.trustLevel": "Vertrauenslevel {0}",
+  "trustDetails.trustLevel.untrusted": "Unverifiziert",
+  "trustDetails.showSignDialogBtn": "Identität prüfen...",
+  "trustDetails.userNotSetUp": "Benutzeraccount noch nicht eingerichtet.",
+
+  "signUserKeysDialog.title": "{0}s Identität bestätigen",
+  "signUserKeysDialog.description": "Gib die ersten {0} Zeichen von {1}s Fingerprint ein, um die Authentizität der Public Keys dieses Nutzers zu bestätigen. Der Fingerprint wird im persönlichen Nutzerprofil angezeigt.",
+  "signUserKeysDialog.submit": "Identität bestätigen",
+
   "initialSetup.createUserKey.title": "Willkommen bei Cryptomator Hub",
   "initialSetup.createUserKey.description": "Bei der ersten Anmeldung erhält jeder Nutzer einen eindeutigen Account Key:",
   "initialSetup.createUserKey.details.accountKey": "Dein Account Key wird benötigt, um dich von anderen Apps oder Browsern aus anzumelden",
diff --git a/frontend/src/i18n/en-US.json b/frontend/src/i18n/en-US.json
index 4fa0e26d..9537ecd7 100644
--- a/frontend/src/i18n/en-US.json
+++ b/frontend/src/i18n/en-US.json
@@ -67,6 +67,7 @@
   "auditLog.details": "Details",
   "auditLog.details.device.register": "Register Device",
   "auditLog.details.device.remove": "Remove Device",
+  "auditLog.details.wot.signedIdentity": "Signed Identity",
   "auditLog.details.vault.create": "Create Vault",
   "auditLog.details.vault.update": "Update Vault",
   "auditLog.details.vaultAccess.grant": "Grant Vault Access",
@@ -135,6 +136,15 @@
   "grantPermissionDialog.description": "Share vault keys with newly added users.",
   "grantPermissionDialog.submit": "Grant Permission to {0} User(s)",
 
+  "trustDetails.trustLevel": "Trust Level {0}",
+  "trustDetails.trustLevel.untrusted": "Unverified",
+  "trustDetails.showSignDialogBtn": "Check Identity...",
+  "trustDetails.userNotSetUp": "User has not set up their account yet.",
+
+  "signUserKeysDialog.title": "Verify {0}'s Identity",
+  "signUserKeysDialog.description": "Enter the first {0} characters of {1}'s fingerprint in order to confirm the authenticity of their public keys. The fingerprint can be found in the user's profile.",
+  "signUserKeysDialog.submit": "Confirm this User's Identity",
+
   "initialSetup.createUserKey.title": "Welcome to Cryptomator Hub",
   "initialSetup.createUserKey.description": "On first login, every user gets a unique Account Key:",
   "initialSetup.createUserKey.details.accountKey": "Your Account Key is required to login from other apps or browsers",
diff --git a/frontend/src/i18n/index.ts b/frontend/src/i18n/index.ts
index 9f63eb53..beea492c 100644
--- a/frontend/src/i18n/index.ts
+++ b/frontend/src/i18n/index.ts
@@ -24,3 +24,16 @@ export const datetimeFormats: I18nOptions['datetimeFormats'] = {
     }
   }
 };
+
+export const numberFormats: I18nOptions['numberFormats'] = {
+  [Locale.EN]: {
+    percent: {
+      style: 'percent', useGrouping: false
+    }
+  },
+  [Locale.DE]: {
+    percent: {
+      style: 'percent', useGrouping: false
+    }
+  }
+}
diff --git a/frontend/src/main.ts b/frontend/src/main.ts
index 5818949f..9accc503 100644
--- a/frontend/src/main.ts
+++ b/frontend/src/main.ts
@@ -2,7 +2,7 @@ import { createApp } from 'vue';
 import { createI18n } from 'vue-i18n';
 import App from './App.vue';
 import './css/fonts.css';
-import { Locale, datetimeFormats, messages } from './i18n/index';
+import { Locale, datetimeFormats, messages, numberFormats } from './i18n/index';
 import './index.css';
 import router from './router';
 // migrate to // import messages from '@intlify/vite-plugin-vue-i18n/messages'; as soon as it works
@@ -12,6 +12,7 @@ const i18n = createI18n({
   fallbackLocale: Locale.EN,
   messages,
   datetimeFormats,
+  numberFormats,
   globalInjection: true,
   missingWarn: false,
   fallbackWarn: false
diff --git a/frontend/test/common/crypto.spec.ts b/frontend/test/common/crypto.spec.ts
index 785962f5..051e2d56 100644
--- a/frontend/test/common/crypto.spec.ts
+++ b/frontend/test/common/crypto.spec.ts
@@ -1,8 +1,8 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
-import { base64 } from 'rfc4648';
-import { UnwrapKeyError, UserKeys, VaultKeys } from '../../src/common/crypto';
+import { base64, base64url } from 'rfc4648';
+import { UnwrapKeyError, UserKeys, VaultKeys, getJwkThumbprint } from '../../src/common/crypto';
 
 chaiUse(chaiAsPromised);
 
@@ -236,6 +236,26 @@ describe('crypto', () => {
       expect(result).to.eql('7C3USOO3VU7IVQRKFMRFV3QE4VEZJECV');
     });
   });
+
+
+  describe('JWK Thumbprint', () => {
+
+    // https://datatracker.ietf.org/doc/html/rfc7638#section-3.1
+    it('compute example thumbprint from RFC 7638, Section 3.1', async () => {
+      const input: JsonWebKey & any = {
+        kty: 'RSA',
+        n: '0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw',
+        e: 'AQAB',
+        alg: 'RS256',
+        kid: '2011-04-29'
+      };
+
+      const thumbprint = await getJwkThumbprint(input);
+
+      expect(base64url.stringify(thumbprint, { pad: false })).to.eq('NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs');
+    });
+
+  });
 });
 
 /* ---------- MOCKS ---------- */
diff --git a/frontend/test/common/jwt.spec.ts b/frontend/test/common/jwt.spec.ts
index 9d4829ea..f3e50305 100644
--- a/frontend/test/common/jwt.spec.ts
+++ b/frontend/test/common/jwt.spec.ts
@@ -12,35 +12,50 @@ describe('JWT', () => {
   });
 
   describe('RFC 7515 / RFC 7519', () => {
-    let signerPrivateKey: CryptoKey;
+    let signerKey: CryptoKeyPair;
 
     beforeEach(async () => {
-      signerPrivateKey = await crypto.subtle.importKey(
-        'jwk',
-        {
-          kty: 'EC',
-          crv: 'P-384',
-          // key coordinates from MDN examples:
-          d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
-          x: 'SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ',
-          y: 'hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW'
-        },
-        {
-          name: 'ECDSA',
-          namedCurve: 'P-384'
-        },
-        false,
-        ['sign']
-      );
+      const signerPublicJwk: JsonWebKey = {
+        kty: 'EC',
+        crv: 'P-384',
+        // key coordinates from MDN examples:
+        x: 'SzrRXmyI8VWFJg1dPUNbFcc9jZvjZEfH7ulKI1UkXAltd7RGWrcfFxqyGPcwu6AQ',
+        y: 'hHUag3OvDzEr0uUQND4PXHQTXP5IDGdYhJhL-WLKjnGjQAw0rNGy5V29-aV-yseW'
+      };
+      const signerPrivateJwk: JsonWebKey = {
+        ...signerPublicJwk,
+        // key coordinates from MDN examples:
+        d: 'wouCtU7Nw4E8_7n5C1-xBjB4xqSb_liZhYMsy8MGgxUny6Q8NCoH9xSiviwLFfK_',
+      };
+      signerKey = {
+        privateKey: await crypto.subtle.importKey('jwk', signerPrivateJwk, { name: 'ECDSA', namedCurve: 'P-384' }, false, ['sign']),
+        publicKey: await crypto.subtle.importKey('jwk', signerPublicJwk, { name: 'ECDSA', namedCurve: 'P-384' }, true, ['verify'])
+      };
     });
 
-    it('es384sign()', () => {
+    it('es384sign()', async () => {
       const encodedHeader = 'eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImI2NCI6dHJ1ZX0';
       const encodedPayload = 'eyJmb28iOjQyLCJiYXIiOiJsb2wiLCJvYmoiOnsibmVzdGVkIjp0cnVlfX0';
 
-      const encodedSignature = JWT.es384sign(encodedHeader, encodedPayload, signerPrivateKey);
+      const encodedSignature = await JWT.es384sign(encodedHeader, encodedPayload, signerKey.privateKey);
+
+      expect(encodedSignature).to.be.a('string');
+    });
+
+    it('es384verify() a valid signature', async () => {
+      const jwt = 'eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImI2NCI6dHJ1ZX0.eyJmb28iOjQyLCJiYXIiOiJsb2wiLCJvYmoiOnsibmVzdGVkIjp0cnVlfX0.9jS7HDRkbwEbmJ_cpkFHcQuNHSsOzSO3ObkT_FBQIIJehYYk-1aAK0KVnOgeDg6hVELy5-XcRHOCETwuTuYG5eQ3jIbxpTviHttJ-r26BYynw6dlmJTuLSvsTjtpoTa_';
+
+      const validSignature = await JWT.es384verify(jwt, signerKey.publicKey);
+
+      expect(validSignature).to.be.true;
+    });
+
+    it('es384verify() an invalid signature', async () => {
+      const jwt = 'eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImI2NCI6dHJ1ZX0.eyJmb28iOjQyLCJiYXIiOiJsb2wiLCJvYmoiOnsibmVzdGVkIjp0cnVlfX0.9jS7HDRkbwEbmJ_cpkFHcQuNHSsOzSO3ObkT_FBQIIJehYYk-1aAK0KVnOgeDg6hVELy5-XcRHOCETwuTuYG5eQ3jIbxpTviHttJ-r26BYynw6dlmJTuLSvsTjtpoTaX';
 
-      return expect(encodedSignature).to.eventually.be.fulfilled;
+      const validSignature = await JWT.es384verify(jwt, signerKey.publicKey);
+
+      expect(validSignature).to.be.false;
     });
 
     it('build() ES384-signed JWT', async () => {
@@ -56,9 +71,19 @@ describe('JWT', () => {
         obj: { nested: true }
       };
 
-      const jwt = await JWT.build(header, payload, signerPrivateKey);
+      const jwt = await JWT.build(header, payload, signerKey.privateKey);
 
       expect(jwt).to.be.not.null;
     });
+
+    it('parse() ES384-signed JWT', async () => {
+      const jwt = 'eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImI2NCI6dHJ1ZX0.eyJmb28iOjQyLCJiYXIiOiJsb2wiLCJvYmoiOnsibmVzdGVkIjp0cnVlfX0.9jS7HDRkbwEbmJ_cpkFHcQuNHSsOzSO3ObkT_FBQIIJehYYk-1aAK0KVnOgeDg6hVELy5-XcRHOCETwuTuYG5eQ3jIbxpTviHttJ-r26BYynw6dlmJTuLSvsTjtpoTa_';
+
+      const [header, payload] = await JWT.parse(jwt, signerKey.publicKey);
+
+      expect(header).to.deep.equal({ alg: 'ES384', typ: 'JWT', b64: true });
+      expect(payload).to.deep.equal({ foo: 42, bar: 'lol', obj: { nested: true } });
+    });
+
   });
 });