[FIG(quote)[
[FIGCAPTION[
[1] [CITE@en[RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)]]
([TIME[2015-03-13 22:27:53 +09:00]] 版)
<https://tools.ietf.org/html/rfc6125#section-1.8>
]FIGCAPTION]

> reference identifier:  An identifier, constructed from a source
>       domain and optionally an application service type, used by the
>       client for matching purposes when examining presented identifiers.

]FIG]


[FIG(quote)[
[FIGCAPTION[
[2] [CITE@en[RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)]]
([TIME[2015-05-29 03:22:56 +09:00]] 版)
<https://tools.ietf.org/html/rfc7525#section-6.1>
]FIGCAPTION]

>  If the host name is discovered indirectly and in an insecure manner
>    (e.g., by an insecure DNS query for an MX or SRV record), it SHOULD
>    NOT be used as a reference identifier '''['''RFC6125''']''' even when it matches
>    the presented certificate.  This proviso does not apply if the host
>    name is discovered securely (for further discussion, see '''['''DANE-SRV''']'''
>    and '''['''DANE-SMTP''']''').

]FIG]