What are the implications of hosted key's? Shouldn't the keys be stored in the client where the log signing happens and then just appended to the log on the server, light client style?

This isn't to say what you've got isn't cool, it's great.