[1] RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) ( 版) <https://tools.ietf.org/html/rfc6125#section-1.8>
reference identifier: An identifier, constructed from a source
domain and optionally an application service type, used by the
client for matching purposes when examining presented identifiers.
[2] RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) ( 版) <https://tools.ietf.org/html/rfc7525#section-6.1>
If the host name is discovered indirectly and in an insecure manner
(e.g., by an insecure DNS query for an MX or SRV record), it SHOULD
NOT be used as a reference identifier [RFC6125] even when it matches
the presented certificate. This proviso does not apply if the host
name is discovered securely (for further discussion, see [DANE-SRV]
and [DANE-SMTP]).