[1] RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) (2015-03-13 22:27:53 +09:00 版) https://tools.ietf.org/html/rfc6125#section-1.8

reference identifier: An identifier, constructed from a source
domain and optionally an application service type, used by the
client for matching purposes when examining presented identifiers.

[2] RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) (2015-05-29 03:22:56 +09:00 版) https://tools.ietf.org/html/rfc7525#section-6.1

If the host name is discovered indirectly and in an insecure manner
(e.g., by an insecure DNS query for an MX or SRV record), it SHOULD
NOT be used as a reference identifier [RFC6125] even when it matches
the presented certificate. This proviso does not apply if the host
name is discovered securely (for further discussion, see [DANE-SRV]
and [DANE-SMTP]).