Rating: Technical quality 5: Contents are completely correct. There are no errors. The paper seems to cover the area it claims to cover. Originality 5: New results of publishable quality and good analysis of current state New types of attacks have been identified, on basis of good analysis of current state of the art in the security associations. The analysis of current state seems thorough, and there are rather many references. Editorial quality 4: Mostly understandable, some improvements identified below The paper is well written for the most, just run a basic English spell check on the text. Overall grade (overall, how do you rate this paper?) 4: Very good Some sentences were hard to understand, and some were ambiguous. However, overall the paper gives good comparison of various approaches to security associations in several different technologies that are the most important ones. New attack scenarios are presented. Refining the language and scattering references throughout the work will raise the paper to grade 5. Confidence (how confident are you about this review?) 2: I have some general knowledge of this subject 2. Detailed comments 2a. Technical quality The paper addresses an important issue: the current vulnerabilities in guaranteeing the security of communication in the area of personal networks. The paper presents a state-of-the-art review on the security associations in personal networks. It concentrates specifically on evaluating four different technologies, probabaly because they are the most utilized ones (the selection criteria is not stated, it seems). These are evaluated against for different evaluation criteria. On basis of the analysis, new types of attack scenatios are identified. The paper concludes by suggesting ways to address the identified threats. The strength of the paper is that it covers its topic quite well, and presents new threat scenarios and proposes solutions to tackling these threats. A weakness is that references are not evenly distributed across various sections. The paper could benefit from using references from the field of usability also, when stating the usability problems in the technologies. 2b. Originality The analysis of the attack scenarios and identifying new attack possibilities is claimed as new, and this seems to be the case also. 2c. Editorial quality Overall, the paper is well written and nice to read. Some misspellings seem to be due to hurry and I would expect they have disappeared in the final version of the paper. The tables categorize the dealt issues nicely. Some minor things to consider for fine-tuning: - Throughout the paper, introductory text between title and subtitle or subtitle and subsubtitle is missing. - p. 3 starts with "Another threat.." - however, before that, no "threat" is mentioned in the previous paragraph. - p. 3: Visual and audio channel. No example of Audio is given. - p. 4: 2. Just works model - what user sees (=nothing?) was a bit unclear on basis of the description. Or maybe I just didn't get it. - p. 5: section: 1. Cable modem - ends with "clicking user interface dialogs" - a bit unclear what this means in practice. - p. 5, section: 2. Numeric model. How the user must explicitly authorize the association, remained unclear to me. - p.5. section: 2. Secure mode. an own --> its own/their own - p. 6, 4.1.1. Evaluation Criteria, first paragraph. - would benefit from giving some concrete examples of the security compromises made. - p. 7, end of first paragraph "the user may be assumed to protect portable memory devices" - protect how? - p. 7, 3rd paragraph: the meaning of this sentence is quite unclear to me. - p.9 paragraph 4.3.1: meaning of the last sentence is quite unclear to me. - p.10, paragraph starting with "Particular association...": Do you mean to refer to 5-number long PINs or are 5 different PINs being used? - p. 12 chapter 5, first paragraph: statement "...haven't faced thorough inspections" seems rather vague, so could be made more explicit. - p. 14, chapter 6, items 1 and 2 in the numbered list: "educating the users" by making them read manuals is a strategy that is usually not very effective. Users tend not to read the manuals. Also, in item 2, how the potential attack is shown to user is not stated.