Authentication and secure channel setup for communication handoff scenarios

What is claimed: 1. A method for generating an authentication credential for use in an authentication of a mobile device, the method comprising: establishing, via an application layer between the mobile device and a network server, an application-layer credential that is shared with the network server, wherein the application-layer credential is configured to authenticate the mobile device on the application layer for receiving a service from the network server using a first network; discovering a network communication entity on a second network; and generating, based on the application-layer credential, the authentication credential for performing authentication on a communication layer of the second network, wherein the authentication at the second network enables the mobile device to switch from the first network to the second network and receive the service from the network server using the second network, the application-layer credential surviving the switch from the first network to the second network. 2. The method of claim 1 , further comprising: determining an application-layer identity for communicating with the network communication entity at an application layer of the second network; determining an access-layer identity from the application-layer identity for communicating with the network communication entity at an access layer of the second network; and sending the access layer identity to the network communication entity of the second network at the access layer to initiate generation of the authentication credential. 3. The method of claim 1 , wherein the mobile device is configured to communicate the authentication credential from the application layer to the communication layer of the mobile device. 4. The method of claim 1 , wherein the authentication credential is generated from the application-layer credential using a key derivation function. 5. The method of claim 1 , wherein the communication layer of the second network comprises an access layer of the second network and wherein the authentication credential is an access-layer credential. 6. The method of claim 5 , wherein the access-layer credential comprises a session key. 7. The method of claim 1 , wherein the first network is a cellular communications network and wherein the second network is a wireless local area network (WLAN). 8. The method of claim 1 , wherein the method is performed during a communication layer handoff. 9. The method of claim 1 , wherein the network communication entity comprises an access point (AP) or a Hotspot, and wherein the network server comprises an authentication, authorization, and accounting (AAA) server, an application server, a wireless local area network (WLAN) gateway, or a WLAN access point (AP). 10. The method of claim 9 , wherein the AAA server comprises an OpenID provider (OP) server, and wherein the WLAN gateway and the WLAN AP comprise a relying party (RP). 11. The method of claim 10 , wherein the OP server comprises a mobile network operator (MNO) or an application service provider (ASP). 12. A mobile device comprising a processor and a memory bearing computer-executable instructions which, when executed by the processor of the mobile device, cause the mobile device to: establish, via an application layer between the mobile device and a network server, an application-layer credential that is shared with the network server, wherein the application-layer credential is configured to authenticate the mobile device on the application layer for receiving a service from the network server using a first network; discover a network communication entity on a second network; and generate, based on the application-layer credential, the authentication credential for performing authentication on a communication layer of the second network, wherein the authentication at the second network enables the mobile device to switch from the first network to the second network and receive the service from the network server using the second network, the application-layer credential surviving the switch from the first network to the second network. 13. The mobile device of claim 12 , wherein the computer-executable instructions further cause the mobile device to: determine an application-layer identity for communicating with the network communication entity at an application layer of the second network; determine an access-layer identity from the application-layer identity for communicating with the network communication entity at an access layer of the second network; and send the access layer identity to the network communication entity of the second network at the access layer to initiate generation of the authentication credential. 14. The mobile device of claim 12 , wherein the mobile device is configured to communicate the authentication credential from the application layer to the communication layer of the mobile device. 15. The mobile device of claim 12 , wherein the authentication credential is generated from the application-layer credential using a key derivation function. 16. A method for obtaining an authentication credential for use in authenticating a mobile device for accessing a service from an application server, the method comprising: obtaining, via an application layer associated with an application server, an authentication credential that is derived from an application-layer credential, wherein the authentication credential is configured to authenticate a mobile communication device for accessing services from the application server; sending the authentication credential from the application layer to another communication layer for authenticating the mobile device on the other communication layer; and using the authentication credential, based on the application-layer credential, to authenticate the mobile device at the other communication layer. 17. The method of claim 16 , wherein the other communication layer is an access layer and wherein the authentication credential is an access-layer credential. 18. The method of claim 17 , wherein obtaining the authentication credential further comprises: receiving, via the access layer at a network communication entity, an access-layer identity from the mobile device; sending the access-layer identity to an application layer of the network communication entity; receiving, via the application layer at the network communication entity, an application-layer identity that is bound to the access-layer identity; determining that the access-layer identity and the application-layer identity have been received from the mobile device; and as a result of the determination, using the application-layer identity to derive the authentication credential from the application-layer credential. 19. The method of claim 16 , wherein the authentication credential is derived using a key derivation function. 20. The method of claim 16 , wherein the method is performed at a Hotspot B or an authentication, authorization, and accounting (AAA) server.