Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
P. Saint-Andre, J. Hodges · 2011-03
Abstract
Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions.
Why This RFC Matters
RFC 6125 consolidated the previously inconsistent and protocol-specific rules for how a TLS client should match the domain name it is connecting to against the names present in a server's certificate — Subject Alternative Names and the Common Name. Prior to this document, each protocol specification (HTTPS, XMPP, LDAP, SIP) had subtly different rules that led to implementation bugs and security gaps. By providing a single authoritative procedure, RFC 6125 significantly improved the consistency of certificate validation across the entire TLS ecosystem, and its guidance directly influenced browser validation logic and CA/Browser Forum Baseline Requirements.