During their everyday decision making, humans consider the interplay between two types of trust: vertical trust and horizontal trust. Vertical trust captures the trust relationships that exist between individuals and institutions, while horizontal trust represents the trust that can be inferred from the observations and opinions of others. Although researchers are actively exploring both vertical and horizontal trust within the context of distributed computing (e.g., credential-based trust and reputation-based trust, respectively), the specification and enforcement of composite trust management policies involving the flexible composition of both types of trust metrics is currently an unexplored area. In this paper, we take the first steps towards developing a comprehensive approach to composite trust management for distributed systems. In particular, we conduct a use case analysis to uncover the functional requirements that must be met by composite trust management policy languages. We then present the design and semantics of CTM: a flexible policy language that allows arbitrary composition of horizontal and vertical trust metrics. After showing that CTM embodies each of the requirements discovered during our use case analysis, we demonstrate that CTM can be used to specify a wide range of interesting composite trust management policies, and comment on several systems challenges that arise during the composite trust management process.