1 Rating Technical quality 4: Contents are mostly correct. Some improvements suggested below. Originality 2 Good survey of current state; no new ideas Editorial quality 4: Mostly understandable, some improvements identified below Overall grade 3 Confidence 3 I have good level knowledge of this topic Detailed Comments 2a. Technical quality The paper provides a good survey of several attempts and attacks on authenticated key agreement. It starts from one of the Burmester-Desmedt key agreement protocols, covers GDH.2 and the efforts made to add authentication to it. The Pereira's and Quisquater's attack against Cliques implicit key authentication property is briefly explained, as well as the development thereafter. Wong's and Stajano's solution with auxiliary channels is presented in the end. A conclusion (not explicitly said in the paper) can be drawn that to the current knowledge, authenticated key agreement needs auxiliary channels or pre-shared passwords. There are probably much more papers written about the subject than this paper covers. However, the choice of covered publications is a strenght, because these form a clear path: from the first attempts to how they were broken and again to new proposals that seem to avoid the weaknesses. This survey is compact and could be a beginning to a paper that presents an own solution. But unfortunately there is no own solution or any new ideas, which of course is a weakness. 2b. Originality Paper doesn't claim new ideas 2c. Editorial quality The text is easy to read and understand. There are lots of formulas, some of which have typo's that make them hard to read. . The abstract faithfully describes the contents and introduction explains the problem well. The protocols should be explained more, perhaps a box for each protocol and an explanation with less formulas in the text. References are incomplete, (only name, title and year for entries 4,6,7 and 10). For example, I would like to know where references 6 and 7 were presented. some typos/errors: In 2.3.1 it should read "The intruder will then use the r_2-service in the first protocol run to get g^{...} exponentiated to r_2 ". Later in the same section, r^2 should be r_2. In the Abdalla et al. protocol, symmentric key k_i=H(S,i,pw) is defined, but not used anywhere.