The Trust Tax
A small open-source library is depended on by someone the maintainer has never met. The dependent ships their own product, makes some money, would tip the maintainer a few dollars if doing so were free. Doing so is not free. To send the tip, the dependent's payment processor has to know who the maintainer is. The maintainer has to be onboarded onto a rail (Stripe, PayPal, a bank account with international receive enabled) that will run a KYC pass before releasing funds. The processor needs an identity it trusts. The tip costs more in trust-establishment than it pays out. The transaction does not happen. It is suppressed by the identity layer, not by the payment math.
Multiply this across every micro-interaction the open web could have hosted but did not. The pattern has a name. The web has an identity layer, and the identity layer levies a tax. Most of the suppressed transactions live in the layer below where the tax bites.
This piece names that tax as a transaction cost in the Coasean sense and describes one substrate primitive that lowers it. The argument is economic, not moral. A class of substrate primitives lowers the trust tax for a mixed population (humans and agents) and unlocks a long tail of interactions that the tax has been suppressing.
The trust tax is a Coasean transaction cost
Almost every valuable digital interaction between strangers pays a trust tax. The tax is levied in identity. Sign up, KYC, hand over a card, prove you are not a bot, get an API key issued, ask a person to vouch for you. The currency varies (time filling forms, money paid to verifiers, personal data handed to issuers, deferred trust that an issuer will not misuse what you handed them) and the tax does not appear as a line item on any invoice. It determines which transactions happen and which silently do not.
Ronald Coase argued in 1937 that firms exist because the friction of organising production through market transactions sometimes exceeds the friction of organising it through hierarchy. The transaction cost is the explanatory variable, not a residual. The shape of who-transacts-with-whom is partly selected by where the friction sits. Apply the same lens to stranger-to-stranger interactions on the open web and one major component of the friction is the trust tax: the cost of producing enough mutual recognition between two parties who do not know each other to make the transaction safe enough to close. Other components (payment-rail fees, regulatory cost, language barrier) are real and not what this piece is about. The trust tax is the component the substrate primitive addresses.
Where the trust tax exceeds the transaction's value, the transaction does not happen. The point is sharper than "high-friction transactions are slower." High-friction transactions whose value exceeds the friction still happen, slower. The transactions that get cut off are the ones whose value is below the tax. They never appear in the data. They are not slow versions of existing transactions. They are interactions whose terms would have closed but for the friction layer the participants did not get past.
What the participants are paying for, when they pay the tax, is not the transaction itself. They are paying for one of the parties to acquire enough recognition of the other that the transaction is safe to enter. The recognition machinery (passport, bank account, phone number, workplace email, credential, vouching, KYC report) was built for a population and a transaction shape that the open web is no longer the dominant case of.
The binding-constraint filter and the long tail
Not every reduction in friction unlocks a new class of interaction. Two filters cut the candidate list down to what is actually unlocked.
First filter: the trust tax must be the binding constraint, not one of several. A mortgage application carries identity friction (KYC, credit checks, income verification) but the identity friction is part of an information-cost stack that also contains the underwriter's time, the title search, the regulatory review, capital allocation, and the closing legal work. Lowering the trust tax on a mortgage does not unlock new mortgages because the legal, collateral, regulatory, and capital constraints remain binding. The interaction was bound by something else.
Second filter: the interaction must be one that does not happen today (a new class), not merely one that could be cheaper. A faster KYC pass on an existing payment service is not an unlock. The transaction was happening. The unlock is the transaction whose value is below the current friction and is therefore not appearing at all.
With those two filters applied, the surface narrows. The interactions that are bound by the trust tax and do not happen today are low-trust, low-value transactions where the friction layer is the dominant cost. A one-off API call between two services neither of which has heard of the other. A pseudonymous forum post that wants spam-resistance without requiring an account. A micro-payment for a single inference call. A short-lived agreement to share a small amount of compute. A tip from a reader who values a piece of writing at a few cents but cannot route the payment through any rail that does not eat the value in fees and friction.
This is the long tail of micro-interactions. The shape of the distribution comes from fixed-cost suppression: each interaction has to absorb the trust tax (and any other fixed cost in the layer) in full, and the tax does not shrink to match the value of the interaction it is gating. Past some threshold value, the interaction's own value cannot pay for the tax it must clear. Interactions above the threshold complete (sometimes slowly). Interactions below the threshold do not complete at all. The mass of suppressed interactions sits where fixed-cost trust establishment dominates the per-transaction value, which is the long tail by construction. The high-value head has always paid the tax and continued. The tail is where the suppressed interactions are.
Strangers now permanently includes agents
Every existing trust-tax apparatus assumes the participant is a human with institutional credentials. The verification path runs through institutions that issue identity to humans (governments, banks, employers, telcos, social platforms). The apparatus is calibrated for that population and that population's shape of transaction.
Agents have no first-class institutional identity by construction. They cannot hold a passport. They cannot open a bank account in their own name. They cannot pass a phone-number-based identity check that depends on a human picking up the call. What they have instead is derivative identity: API keys issued by a service to a human or organisation, OAuth clients owned by a developer account, service accounts created and held to account by a parent identity, payment rails routed through a human-owned card. The agent transacts only by riding on a credential the institutional issuer minted for someone else. The institutional issuers are not in the business of issuing first-class identity to agents and have no reason to start, because doing so would require taking on liabilities they were structured to avoid. The retrofit path to first-class agent participation is closed.
Agents also want to transact. They want to buy compute, fetch data, call APIs, pay for services, accept payment for services rendered. The transactions they want are exactly the ones the long tail is bursting with: small, frequent, between parties neither of which has heard of the other, calibrated to value low enough that the existing apparatus's friction cuts them off entirely.
Two consequences follow. The substrate, as it exists, cannot admit agents as first-class peers. Agents transact only through a derivative path: a human or organisation has to lend them the credential the substrate demands, and the resulting liability lands on the lender. The trust tax for direct agent participation is uncollectable in the existing apparatus's currency, because the apparatus only knows how to charge it to a human or org. The substrate's calibration is for a population that no longer exclusively populates it, and the population it can only admit derivatively is the one whose interaction shape is closest to the long tail.
Any substrate primitive that lowers the trust tax for the mixed population (humans and agents both) has to do so without reference to the species of the participant. Not because of a moral commitment to agent standing, but because the population that wants to transact is mixed and the substrate has to accommodate it. The species-neutrality of the substrate is a design constraint imposed by who actually wants to transact, not a value position about who deserves to. The earlier piece in this series on identity without person argued the same conclusion from the substrate side: the question "what kind of actor is this?" is the wrong question for the trust layer to ask. The Coasean lens supplies the economic version of the same conclusion. The species-distinction was an artefact of the apparatus's calibration. The apparatus's calibration was for a population that has changed.
Continuity-auth as the operative form
Continuity-auth is one substrate primitive in the class. The class is wider than the library, and the library is the operative example of what a class member looks like.
The mechanism is direct. Trust accrues through observable behaviour over wall-clock time, anchored to a cryptographic key the caller controls. No third-party issuer sits in the path. The verifier holds the history itself, co-located with the substrate, and the relying party never reads someone else's stored summary of the caller as if it were live evidence. Good behaviour at one deployment does not entitle the same key to standing at another deployment that has not observed it, so the primitive emits no portable score that an institutional check would have been needed to gate.
The adversarial cost shape decomposes into two layers, and they behave differently under attacker capability gain. Calendar time gates accumulation, demotion, and recovery. A calendar day costs the same as it did last year, and capability gain does not compress it. An attacker who wants the standing that comes with sustained low-anomaly observation pays for it in wall-clock days that they cannot buy on the spot market for a single transaction. Per-IP inventory gates fresh-cluster minting and provenance-signal distinctness. IP inventory is market-priced: residential proxies are cheap per request and priced per gigabyte, and an attacker with sufficient inventory can buy more of it. The IP-side cost bounds rather than blocks. One of the two layers is uncompressible by capability gain. The other is priced by inventory the attacker can purchase but does not get for free.
What the substrate refuses to install is a "prove you are human" check at the entry point. Doing so would reintroduce the trust tax in exactly the form the substrate exists to remove. The institutional check converts the question "is this caller going to behave?" into the question "is this caller's institutional credential current?" The first question is what the substrate is designed to answer through behaviour. The second question is what the trust tax taxes. Installing the second question reinstalls the tax.
The thesis is more concrete than "a useful library exists." A class of substrate primitives, each lowering a different transaction cost, collectively lowers the trust tax for the long-tail population. Continuity-auth is the bootstrap-and-rate-limit primitive. Other primitives in the same family compose with it. Short-lived authorization tokens (issued by the operator that holds the relationship, expiring fast, scoped to a named audience and a named action) carry a scoped grant of permission across a trust boundary, not portable evidence of standing earned elsewhere. The token is a credential in the standard security sense, and the distinction the architecture insists on is that what the token carries is permission to do this thing for this audience within this expiry, not the receiver's adoption of the issuer's reputation judgement. Sealed-pull notification delivery (the recipient holds a mailbox keyed to their public key, returns to prove possession, fetches what is there) replaces push-channel identity with on-demand authentication. Pseudonymous platforms where the key is the account, where the first action mints the identity rather than requiring registration upfront, bid for all three of open / anonymous / spam-resistant simultaneously, weakening the trilemma that forums have been picking two of for fifteen years. The claim is spam-resistant, not spam-free: cold-start throttling and per-key rate-limiting do the work, and they buy resistance, not elimination.
Each primitive removes a transaction cost the existing apparatus levied. None requires an institutional issuer in the path. None requires the participant to disclose what species of actor they are. Each is constructable by parties other than the lab once the substrate-design pattern is understood. The lab is contributing instances of the class. The class is the contribution.
Closing
The trust tax is the silent shape of which interactions happen. It is denominated in a currency (institutional credentials) that the population that wants to transact does not uniformly hold. It taxes most heavily exactly the interactions whose value sits below the tax, which means it suppresses the long tail rather than the head. The participants the tax can only admit derivatively are precisely the participants whose transaction shape is closest to the long tail in the first place.
Substrates that lower the trust tax for the mixed population, without reintroducing the credential check the tax depends on, unlock the interactions the tax has been suppressing. The lab is shipping one instance of the class. The class is constructable elsewhere. The lens this piece argues for is transaction-cost economics applied to the open-web trust layer, with continuity-auth as one operative example and a sketched portfolio of sister primitives that compose with it. The open question is who else builds them and what part of the long tail they unlock.