Overall
-------

Incorporates a potentially good idea of investigating the role of
ID-based AKE using symmetric key algorithms only.  The survey needs to
be more thorough and the new ideas need to be developed much further.

Technical
---------
Section II
- you mention AKE based on IBC but don't give an example.  So it is
  difficult to see the key escrow leads to session key recoverability
- describe how Chen and Kudla's scheme avoids (session) key
  recoverability
- I am not sure your description of Balfanz et al's scheme are
  correct?
  - do they really require the TA's public parameters to be kept
  secret? Where and why?
  - the set of roles should be assumed to be public.  But the scheme
  assures that you cannot verify if a peer has a certain role or not
  unless you have a matching role.  Perhaps this is not explained well
  in the paper (but you can, in your paper).
  (e.g., Alice will not do key agreement for the ID "alice-member"
  with the ID "bob" but only "bob-member")
  - There are other problems with Balfanz et al's scheme.  E.g., if
    the same person uses different IDs in different situations they
    may be suspected.  If they use a certain ID and key agreement
    fails, that might also leak information.

Section II.B
- Subsection B last sentence of first para is not clear.  Do you mean
  that    "by holding a master key lower in the hierarchy, an attacker cannot
  deduce a higher level key in the hierarchy knowing another key in
  the same level"

Section III  
- What is the advantage of using the ID to derive the keys.  E.g., why
  is Receiver ID-based AKE better than Kerberos?
   
Section IV.C
- "Note that the response does not have to contain the SID anymore".
  Why "anymore"?
  - assuming that the attacker cannot see both the request and
  response: is this a valid assumption? Why?
  - If not, your scheme would require that DNS responses are protected
  by a key shared between the DNS server and the sender.

Editorial
---------
Section IV
- s/Time To Leave/Time To Live/