Interesting. How does the revocation of lost/stolen cards interact with the anonymous design of the age attestation?
If an enterprising 19-year-old sold their card and PIN to a 15-year-old and reported it lost to get a replacement, presumably there's some mechanism to stop the 'lost' card being used as proof of age?
The card communicates with an eID server via the app. This server is connected to the PKI and receives a new certificate daily-ish and also has a revocation list of blocked IDs. There's a ridiculous amount of regulation for hosting one yourself, so you get that service from one of the two or three who provide it as a service.
ID data this eID server received from the card is then sent to the eID service that initiated the session, which may either be the entity who needs it, or another service provider who wraps another set of regulation requirements and complex eID server API calls into an easy to use API for their customers.
ID data isn't actually shown to the user in the app unless it's a custom implementation that loops it all the way back from the service provider at the end.
That would be an unlikely scenario. No one would just sell their ID just like that because you have to go to the police to make a report on what happened exactly which then gets distributed in whole Europe and also getting a new ID is quite a procedure and costly unfortunately
If an enterprising 19-year-old sold their card and PIN to a 15-year-old and reported it lost to get a replacement, presumably there's some mechanism to stop the 'lost' card being used as proof of age?