From Reference ID means validating Server Identity. For example if SAN DNS name is "example.com" or IP is "aaa.bbb.ccc.ddd" then we can pass external string "example.com" or "aaa.bbb.ccc.ddd" to Policy. This validation is needed for server Identity check. Let me know if any other clarification is needed. Also Can you confirm what validation does SecPolicyCreateX509() policy actually verifies? (Chain validation, expiration, signature, ec parameter, revocation) ? i can not find any specific documentation for this.