This paper is a clear and complete survey of how link layer keys are
established and used in UWB and 802.11 standards.  It pays particular
attention to group keys, and puts it in context with recent proposals
for "one-shot" group key establishment.

Technical
---------
- Section 4: it is true that distributing the group key by using
  pair-wise security associations is cumbersome when groups come into
  being all at once.  But possibly the more common use case for WLAN
  (and possibly UWB?) are groups that grow gradually one member at a
  time.

- Section 4, page 5, end of last column: "This method is still
  unsecure" .. why?  How can the expelled device which "recorded one
  association between two other devices" find out the new group key?
  Are you assuming that this one association is based on a short
  password or something?

- Section 5, both link layers use sender-specific group keys (GTKs).
  If the upper layer group key agreement protocol is used to
  distribute GTKs, how will it work?  Will the same upper-layer group
  key be used to encapsulate n different GTKs?

  -> what is the rationale for sender-specific GTKs?

Editorial
---------
- Not too many editorial issues.  Very nicely written! A little too
  verbose, but that is better than being too compact.
- page 3 s/simples/simplest(
- For section 2 and section 3, it might help to draw the pictures of
  the respective key hierarchies.
- Section 3.2: I guess GTK is generated by diversifying GMK.  It might
  be worth saying so explicitly:
  ".. GTK is generated  ... by diversifying the .. GMK ... with
   GNonce, fixed sgtring, and the identifier .."