That certificate retrieved from the government has no personal information attached to it. It's essentially empty, only defining what information will be requested from the user.
The certificate is passed to the user's ID card where that information is populated, the document is cryptographically signed, and returned to the requesting party after the user reviews and approves the transaction.
I'm not asking what goes to the site. Does the request to the goverment come from the site you visit? Can the government pair the site with your card? They know who they issued the card to.
If the ID card cryptographically signs it, doesn't that mean that it isn't anonymous?
I assume it's a variant of PKI, with everyone trusting the government's root key, and each ID card storing a unique certificate signed by that root key. But an ID card will only have a single certificate, so it would be trivial to see that multiple data snippets were signed by the same certificate - and therefore the same person. That would allow a website to track users across sessions - or even across websites.
The certificate is passed to the user's ID card where that information is populated, the document is cryptographically signed, and returned to the requesting party after the user reviews and approves the transaction.