@paranormal_distribution For example: Some government agency can issue a certificate to the person that contains passport number, expiry date and date of birth. A person can then selectively choose what information should be displayed - NO passport number, NO expiry date and mask date of birth behind "before some date". If verifier trust this government agency then presenter can prove "I'm at least 18 years old" and this proof will hold.

@paranormal_distribution The verifier learns what the presenter can do, never who they are or how they get this capability. Here I'm using capability as a broad term for "some knowledge I'm willing to disclose".

@paranormal_distribution No one. The presenter asks the verifier to publish their constraints — the trusted root authorities and the current revocation list (one way hashed). The presenter then forges two proofs locally: "I hold a valid capability delegated to me only" and "no intermediate delegator in my chain is revoked, and the delegation chain starts from a trusted root". The verifier checks both proofs against the published roots — no callback, no identity disclosure, no phone-home.

@mullvadnet curious timing. just about an hour ago I forged and verified my first zero knowledge proof that can tell the verifier that proof holder was born before a certain timestamp (aka. older than N years) at the same time reveling absolutely (!) nothing about proof holders, not even those who authorize it.