1. Rating Technical quality 5: Contents are completely correct. There are no errors. Originality 3: No significantly new ideas, but good analysis of current state Editorial quality 5: Clear, understandable and easy to read Overall grade (overall, how do you rate this paper?) 4: Very good Confidence (how confident are you about this review?) 2: I have some general knowledge of this subject 2. Detailed comments 2a. Technical quality The paper first describes generic models on how to do pairing (associations) between devices. Then the author describes what models different personal area network technologies (Bluetooth, WLAN, WUSB, HomePlugAV) have adopted. After that evaluation criteria is provided for measuring the security (threat model), hardware requirements (i.e. display, keyboard, etc.), and usability (user interaction requirements) of the different association models. With each evaluation criteria the listed technologies are compared. Finally the author provides some new attack scenarios mainly based on the combination of weak and stronger association models with the assumption that the user does not notice the attack. Strengths of the papre are the evaluation model, detailed analysis of the existing technologies, and the generic association model description in the beginning. Also, the discussion on how the different alternatives in the standards make new attacks possible. Reader does not know if these association models are existing, implemented, or if the author has created the model himself. Reviewer thought that the "push button" model would have been related to synchronization of the devices and then used to get timestamps secretly based on the synhronization model. The paper mentions UWB (Ultra Wide Band), but does not evaluate it (e.g. describe it and compare it with others). 2b. Originality The paper explains state of the art mechanisms in high level. The covered technologies are well described. 2c. Editorial quality The paper is very well structured and easy to read. The evaluation model and the attack/threat tree is especially good. Generally could say "Comparison between personal networks technologies" (add "technologies"). The author could also think about how combinations of the different association models could improve the security. Using leds for example. Could also mention association ideas based on common sensor information (like shaking the devices together and using "accelerator" sensor). Author could also extend the scope of the technologies evaluated (e.g include UWB?, Wibree?). Author could also discuss on what is protected with the association model. E.g. somehow explain what is good enough security with example cases. Like for example the well known pin code 0000 might just be ok with GPS receiver. Could perhaps show an example pairing protocol message flow. Nits: page 2, 2nd paragraph middle part s/end-users must to learn several/end-users must learn/ page 3 s/based on based on/based on/ page 5, "2 secure mode" s/manual entry/manually enter/ page 6 s/which is has/which has/ page 7, first words s/where presented in Section 2/were .../ s/Diffie-Helman/Diffie-Hellman/g page 8, table 1 - could say "Countermeasures against man-in-the-middle attacks" instead of "man-in-the-middle attacks" s/which another has device/which another device has/ page 10, number 3 s/how unique association model is/how unique the assocation.../ s/acguire/acquire/ page 11 s/extended/extend/ page 12 s/may in some cases may/may in some cases/ page 13 s/the attacker must able/the attacker must be able/ page 14 s/association may implicit/association may be implicit/ s/i.e. happens/i.e. it happens/