The central checker knows you've proven your age, but not where you've proven it.
As someone else points out, you send a message to your ID provider 17 requesting the minimum required fields and an anonymous token provided by HN, the ID Provider returns that (over18=yes, token=1234567....) which is signed, you then send the returned payload to the server you're asking, saying "I used Identity provider", and HN (assuming it trusts your ID provider) can confirm that.
HN knows the IP you're connecting from and the identify provider (say the Austrailian government)
The Austrailian government doesn't know where you're connecting to, just that you are trying to prove you are over 18. The unique random number HN provides confirms it's not someone else's token, but it doesn't link to HN
I assume there's a proper standard which does this
As someone else points out, you send a message to your ID provider 17 requesting the minimum required fields and an anonymous token provided by HN, the ID Provider returns that (over18=yes, token=1234567....) which is signed, you then send the returned payload to the server you're asking, saying "I used Identity provider", and HN (assuming it trusts your ID provider) can confirm that.
HN knows the IP you're connecting from and the identify provider (say the Austrailian government)
The Austrailian government doesn't know where you're connecting to, just that you are trying to prove you are over 18. The unique random number HN provides confirms it's not someone else's token, but it doesn't link to HN
I assume there's a proper standard which does this