I don't think you want/need web-of-trust to evaluate licensing. You probably just want to see "what is the full set of (transitive) licenses I'm agreeing to when taking on this new dependency?" Right? If so, there's cargo-license [1] for that.
This seems like something you need a lawyer for. Perhaps a web of lawyers. The hardest part with (L)GPL compliance has a lot to do with the significance of the linked GPL’d code and how enforceable these licenses are. Not easy questions to answer for nonexpeerts and even experts will disagree.
Could you elaborate on what you mean by this? Were you wanting people to be able to publish proofs that they've reviewed the legal standing of the code as well as the code itself for problems?
I don't see how a cryptographic WoT system is necessary for that kind of concern. That sounds like more tooling needed around the language's basic packaging system.
That's stipulated by the crate metadata and the only authority of that claim is the author's, right? Why would you want/need bolstering of that claim by a web-of-trust? What would it mean if the WoT identified a different copyright owner than the author or a different license from the one the author offers?
