diff --git a/tildes/tildes/models/comment/comment.py b/tildes/tildes/models/comment/comment.py
index 1cd2081..7a6478e 100644
--- a/tildes/tildes/models/comment/comment.py
+++ b/tildes/tildes/models/comment/comment.py
@@ -164,8 +164,13 @@ class Comment(DatabaseModel):
         acl.append((Allow, Authenticated, "vote"))
 
         # tag:
-        #  - temporary: nobody can tag comments
-        acl.append((Deny, Everyone, "tag"))
+        #  - removed comments can't be tagged by anyone
+        #  - otherwise, people with the "comment.tag" permission other than the author
+        if self.is_removed:
+            acl.append((Deny, Everyone, "tag"))
+
+        acl.append((Deny, self.user_id, "tag"))
+        acl.append((Allow, "comment.tag", "tag"))
 
         # reply:
         #  - removed comments can't be replied to by anyone
@@ -194,6 +199,7 @@ class Comment(DatabaseModel):
 
         # tools that require specifically granted permissions
         acl.append((Allow, "admin", "remove"))
+        acl.append((Allow, "admin", "view_tags"))
 
         acl.append(DENY_ALL)
 
diff --git a/tildes/tildes/models/comment/comment_tag.py b/tildes/tildes/models/comment/comment_tag.py
index f7c7a33..a1c5c3e 100644
--- a/tildes/tildes/models/comment/comment_tag.py
+++ b/tildes/tildes/models/comment/comment_tag.py
@@ -35,6 +35,7 @@ class CommentTag(DatabaseModel):
     )
 
     comment: Comment = relationship(Comment, backref=backref("tags", lazy=False))
+    user: User = relationship(User, lazy=False, innerjoin=True)
 
     def __init__(self, comment: Comment, user: User, tag: CommentTagOption) -> None:
         """Add a new tag to a comment."""
diff --git a/tildes/tildes/models/user/user.py b/tildes/tildes/models/user/user.py
index 2a06d51..243c859 100644
--- a/tildes/tildes/models/user/user.py
+++ b/tildes/tildes/models/user/user.py
@@ -3,7 +3,7 @@
 
 """Contains the User class."""
 
-from datetime import datetime
+from datetime import datetime, timedelta
 from typing import Any, List, Optional, Sequence, Tuple
 
 from mypy_extensions import NoReturn
@@ -33,6 +33,7 @@ from sqlalchemy_utils import Ltree
 
 from tildes.enums import TopicSortOption
 from tildes.lib.database import ArrayOfLtree, CIText
+from tildes.lib.datetime import utc_now
 from tildes.lib.hash import hash_string, is_match_for_hash
 from tildes.models import DatabaseModel
 from tildes.schemas.user import EMAIL_ADDRESS_NOTE_MAX_LENGTH, UserSchema
@@ -213,16 +214,23 @@ class User(DatabaseModel):
     @property
     def auth_principals(self) -> List[str]:
         """Return the user's authorization principals (used for permissions)."""
-        if not self.permissions:
-            return []
-
-        if isinstance(self.permissions, str):
-            return [self.permissions]
+        principals: List[str] = []
 
-        if isinstance(self.permissions, list):
-            return self.permissions
-
-        raise ValueError("Unknown permissions format")
+        # start with any principals manually defined in the permissions column
+        if not self.permissions:
+            pass
+        elif isinstance(self.permissions, str):
+            principals = [self.permissions]
+        elif isinstance(self.permissions, list):
+            principals = self.permissions
+        else:
+            raise ValueError("Unknown permissions format")
+
+        # give the user the "comment.tag" permission if they're over a week old
+        if utc_now() - self.created_time > timedelta(days=7):
+            principals.append("comment.tag")
+
+        return principals
 
     @property
     def is_admin(self) -> bool:
diff --git a/tildes/tildes/templates/macros/comments.jinja2 b/tildes/tildes/templates/macros/comments.jinja2
index 1f4bd28..7405538 100644
--- a/tildes/tildes/templates/macros/comments.jinja2
+++ b/tildes/tildes/templates/macros/comments.jinja2
@@ -19,7 +19,7 @@
         data-comment-depth="{{ loop.depth0 }}"
       {% endif %}
 
-      {% if request.has_permission('view', comment) %}
+      {% if request.has_permission("tag", comment) %}
         data-comment-user-tags="{{ comment.tags_by_user(request.user)|join(' ') }}"
       {% endif %}
     >
@@ -96,12 +96,17 @@
         </span>
       {% endif %}
 
-      {% if comment.tag_counts %}
+      {% if comment.tag_counts and request.has_permission("view_tags", comment) %}
         <ul class="comment-tags">
-          {% for tag, count in comment.tag_counts.most_common() %}
+          {% for tag_name, count in comment.tag_counts.most_common() %}
             <li>
-              <span class="label label-comment-tag label-comment-tag-{{ tag|lower }}">{{ tag }}</span>
-              <span class="comment-tag-count">x{{ count }}</span>
+              <span class="label label-comment-tag label-comment-tag-{{ tag_name|lower }}">{{ tag_name }}</span>
+              <span class="comment-tag-count">
+                x{{ count }}
+                ({% for tag in comment.tags if tag.name == tag_name -%}
+                  {{ username_linked(tag.user.username) }}
+                {%- endfor %})
+              </span>
             </li>
           {% endfor %}
         </ul>
diff --git a/tildes/tildes/templates/macros/links.jinja2 b/tildes/tildes/templates/macros/links.jinja2
index cad932f..b407998 100644
--- a/tildes/tildes/templates/macros/links.jinja2
+++ b/tildes/tildes/templates/macros/links.jinja2
@@ -1,9 +1,9 @@
 {# Copyright (c) 2018 Tildes contributors <code@tildes.net> #}
 {# SPDX-License-Identifier: AGPL-3.0-or-later #}
 
-{% macro username_linked(username) %}
+{% macro username_linked(username) -%}
   <a href="/user/{{ username }}" class="link-user">{{ username }}</a>
-{% endmacro %}
+{%- endmacro %}
 
 {% macro group_linked(group_path) %}
   <a href="/~{{ group_path }}" class="link-group">~{{ group_path }}</a>