General: This is a serious attempt to create a taxonomy of different association models, and to compare them with each other. The attacks are also new and interesting as they apply to the situation, which is common in practise, that several association models are available and the devices or users can select which one to use. Previously, the security has been analyzed for each protocol separately and the bidding-down attack within one wireless standard only. This line of research could be continued by taking into consideration also other applications that two devices can run in parallel with third devices. Detailed comments and typos: - It would be good to explain the term "multi-model" in the title in the introduction. Section 1: problematic Section 3.4. is not able to extract Section 4.1.1. cannot listen to initial associations Sec 4.2.2: 6-digit PIN, 2-digit PIN (as in Table 3) [comment: PIN = password] Sec 4.3.1: Consequently, security standards should aim at minimizing users' chances to make mistakes and compromise security. ...the amount of efforts.. ...easiness of use of the security mechanisms. usability of password-based association models depend on the length of password. Vaudenay demonstrated how to use short, non-secret password in security association. [comment: of course each password value is different, but the singular form "password" is used as it is the name of the security parameter (cf. key). Secret password-based key agreement protocols have been previously proposed by many authors. It maybe desirable to reserve the term "password" for secret short strings. Then Vaudenay's strings could be called, as by Vaudenay, short authenticated strings.] 5 PINs --> 5-digit numeric strings Section 4.3.2 You recommend that all Personal Networks should use numeric comparison model as one optional method. How can you make sure that the users really compare the strings? Has numeric comparison some advantages against the attacks presented in Section 5? Section 4.4. (Title and text): Extensibility Section 5.2. The attacker must be able ... Section 5.3 ...to raise user's suspicion. ( Or: ...users' suspicion.)