This is extremely dangerous, and would only work with hardware/software that is nonfree (i.e., not under the user's control, or any attestation could be spoofed).

This is effectively PKI for personhood. The State DMV acts as the Certificate Authority (CA), signing a "leaf certificate" that is bound to the device's hardware Secure Element.

It’s less like a TLS handshake and more like OpenID for Verifiable Presentations (OID4VP). The "non-free" hardware requirement serves as Remote Attestation—it allows a verifier to cryptographically prove that the identity hasn't been cloned or spoofed by a script. The verification happens offline or via a standard web flow using the DMV’s public key to validate the data signature, ensuring the credential is authentic without requiring a phone-home to the issuer.