Minor nit: I agree that keystroke timing is good in principle for getting "true" random bits, but we should be careful not to extrapolate too much from the STU-III for general purpose computer systems.
I fully agree.
Compounding the issue is knowing which bits in the interarrival time are the "hotest" ones to measure on a particular system, which may be surprisingly far from the lowest order bits depending on the clock granularity and skew.
I think this is less of a problem. Given a good cryptograpic hash function, I would simply hash *all* of the clock bits, without regard to which are the "hottest" ones. If (important 'if') there is sufficient total entropy in the input bits, hashing should effectively "distill" the input entropy into the output bits. Phil