[rdl]

I like those, but I really really want something which can do bt 4.0le with an existing pairing (stronger than just bluetooth 4.0 le security, though) between my host (ideally, mac/win/linux desktop/laptops, also phones) and the device, with some level of on-device logging, access control, etc.

A type 2 pinpad + openpgp smartcard might be the best practical thing right now -- a PIN on the card, plus a passphrase from the host (I think you can require both?). Type 3 showing a hash of what you sign, or a serial number of number of signs, would be even better.

The GPF cryptostick (usb) is also nice -- I think you could also take the Werner smartcard and cut it down to a smaller size for a USB stick sized reader. Sadly GPF stick 1.2 is out of stock everywhere.

[agwa]

> I think you could also take the Werner smartcard and cut it down to a smaller size for a USB stick sized reader

Yup, personally I've stuck my OpenPGP card in a Gemplus GemPC USB Shell Token v2:

http://www.cdw.com/shop/products/Gemplus-GemPC-USB-Shell-Tok...

If you get the OpenPGP card with a SIM cut-out, assembly is a breeze. Almost as good as a GPF stick.

[arete]

Yeah, Kernel Concepts sells the OpenPGP card in a SIM breakout style too.

I really wanted the CryptoStick, looks like they're temporarily about of stock pending the new 2.0 revision, but not holding my breath.

[rdl]

Yeah, I guess I just don't trust smartcards all that much from a hardware security perspective, vs. modules with battery inside a metal envelope. I'm sad Maxim/DS killed the Crypto iButton line -- it was a great compromise between smartcard cost ($20-30) and HSM physical security. The software was never great, though.