Method and apparatus for delivering keying information

The invention claimed is: 1. A method of delivering an application key or keys to an application server for use in securing data exchanged between the application server and a user equipment, the user equipment accessing a communications network via an access domain, the method comprising: running an Authentication and Key Agreement procedure between the user equipment and a home domain in order to make keying material available to the user equipment and to an access enforcement point, and using at least a part of said keying material to secure a communication tunnel between the user equipment and the access enforcement point; deriving one or more application keys within the home domain using at least part of said keying material, providing said application key(s) to said application server, and deriving the same application key(s) at the user equipment, wherein said access enforcement point is unable to derive or have access to said application key(s). 2. The method according to claim 1 , wherein the running of said Authentication and Key Agreement procedure occurs at registration or re-registration of the user equipment with the home domain. 3. The method according to claim 1 , wherein domain access via said access enforcement point is controlled by an access enforcement point controller, said step of running an Authentication and Key Agreement procedure between the user equipment and a home domain comprising: sending from the home domain to the access enforcement point controller an authentication vector including a random value, and secondary cipher and integrity keys derivable from the random value, and forwarding the random value to the user equipment; passing the secondary cipher and integrity keys from the access enforcement point controller to the access enforcement point; and at the user equipment, applying a first key derivation function to the random value to generate primary cipher and integrity keys, and applying a second key derivation function to the primary cipher and integrity keys to generate said secondary cipher and integrity keys, whereby a secure tunnel can be established between the access enforcement point and the user equipment on the basis of said secondary cipher and integrity keys. 4. The method according to claim 3 and comprising deriving said application keys(s) at the user equipment and at the home domain using one or both of said primary cipher and integrity keys. 5. The method according to claim 1 , wherein domain access via said access enforcement point is controlled by an access enforcement point controller, said keying material comprising first and second random values and primary cipher and integrity keys derivable from the first random value, the method comprising: forwarding the random values from the access enforcement point controller to the user equipment, and the user equipment applying a first key derivation function to the first random value to generate primary cipher and integrity keys, whereupon a secure tunnel can be established between the access enforcement point and the user equipment on the basis of said primary cipher and integrity keys. 6. The method according to claim 5 and comprising deriving said application key(s) at the user equipment and within the home domain using said second random value. 7. The method according to claim 6 and comprising deriving secondary cipher and integrity keys from the second random value, and then applying a key derivation function to the secondary cipher and integrity keys to generate the application key(s). 8. The method according to claim 5 , said steps of deriving an application key or keys within the home domain and at the user equipment comprising utilizing a secret shared between the home domain and the user equipment to derive the application key(s). 9. The method according to claim 1 and comprising deriving said application key(s) by applying a key derivation function to cipher and integrity keys, and to a service node identifier. 10. The method according to claim 1 , wherein said access enforcement point is within a Proxy Call Session Control Function of an IP Multimedia Subsystem. 11. The method according to claim 10 , wherein said access enforcement point controller is provided within the Proxy Call Session Control Function, and, within the home domain, a Serving Call Session Control Function is responsible for handling said Authentication and Key Agreement procedure in conjunction with a Home Subscriber Server. 12. The method according to claim 1 , wherein said access enforcement point is within a Serving GPRS Support Node of a UMTS access domain. 13. The method according to claim 12 , wherein said access enforcement point controller is provided within the Serving GPRS Support Node. 14. The method according to claim 1 , wherein said access enforcement point is within a Radio Network Controller of a UMTS access domain. 15. The method according to claim 14 , wherein said access enforcement point controller is provided within a Visitor Location Register. 16. The method according to claim 1 , wherein said access domain comprises a Long Term Evolution access domain, said access enforcement point being a UPE/MME/eNodeB. 17. The method according to claim 16 , wherein said access enforcement point controller is provided within a MME. 18. The method according to claim 16 comprising interposing a user credential management server between a Home Subscriber Server of the home domain and the access enforcement point controller, this server determining secondary cipher and integrity keys and providing application keys to application servers upon request. 19. A network based apparatus for delivering an application key or keys to an application server for use in securing data exchanged between the application server and a user equipment, the user equipment accessing a communications network via an access domain, the apparatus comprising: means for running an Authentication and Key Agreement procedure with the user equipment in order to make keying material available to the user equipment and to an access enforcement point, whereby at least a part of said keying material can be used to secure a communication tunnel between the user equipment and the access enforcement point; means for deriving one or more application keys using at least part of said keying material, and providing said application key(s) to said application server, the keying material allowing the user equipment to also derive the application key(s) but not allowing said access enforcement point to derive the key(s). 20. A method of securing communications between User Equipment and an application server via an IP Multimedia Subsystem network, the method comprising: running an Authentication and Key Agreement procedure between the User Equipment and a Serving Call State Control Function of the IP Multimedia Subsystem network in order to make available to the User Equipment and to a Proxy Call State Control Function, keying material, and using at least a part of said keying material to secure a communication tunnel between the User Equipment and the Proxy Call State Control Function; and deriving at least one application service key at the Serving Call State Control Function using at least part of said keying material, providing said application service key(s) to said application server, and deriving the same application service key(s) at the User Equipment, wherein the Proxy Call State Control Function is unable to derive said application service key(s).