Trezor is based on deterministic wallets, so device itself don't need to have private key management. Device stores just initial seed and send master public key to the computer, so computer itself can generate new bitcoin addresses for receiving money.


The workflow is bit more complicated than this. Firstly, it's not wise to allow signing of custom transaction provided by the computer, because making 100% bulletproof script parser is pretty hard. Trezor has native support for "pay to address" and "pay to script hash" scripts, which are currently the only scripts used in bitcoin world. So computer ask Trezor to build transaction with given inputs and outputs and Trezor make tx template itself.

Second problem is memory limits of such devices. We'd like to support teoretically unlimited amount of inputs and outputs per transaction, so sending everything in one message is non feasible. We've proposed "streaming API", method how to pass necessary information to Trezor and still keep memory footprint very low. Please read https://github.com/slush0/bitkey-python/blob/master/docs/signtx_workflow.png and https://github.com/slush0/bitkey-python/blob/master/protobuf/bitkey.proto for technical details.


This is unnecessary, because thanks to deterministic algorithms (BIP32, Electrum), computer itself can generate public keys for given seed.


Not aplicable for deterministic wallets.


PIN is there already. When user put invalid PIN, device will sleep for few seconds. Device also asks for OTP (one time password) *before* asking for PIN, so brute force won't be possible at all, because for every PIN attempt, user will need to rewrite OTP from the display to test new PIN...