ndncert

In order to run a large scale application test across the testbed, it would be necessary to connect some end hosts onto a gateway router other than the experimenter's own institution router.
After #3568, a testbed certificate is required to obtain a back route from the gateway router toward the end host.

Although it's possible to configure a gateway router to accept remote prefix registrations signed by certificates from other institutions, NFD's automatic prefix propagation feature will use the same prefix as the identity name derived from the certificate.
This means, the back route would have a prefix that differs from the gateway router's routable prefix, and thus it is not globally reachable unless every Interest carries a Link object that points to the gateway router.

It's desirable to allow an experimenter to request a testbed certificate under another institution's prefix without acquiring an email address at that institution.
To prevent name conflicts, the identity of such a certificate should contain the token GUEST or similar, and should contain a representation of the experimenter's full email address.
To prevent abuse, such a certificate should have a shorter validity period, such as 7 days which should be sufficient for most experiments.