Since the middleware isn't the one managing the TLS connection, we already have to rely on whatever is managing the TLS connection to verify & pass it down into the Rack environment safely. Verifying it in the middleware simply proves you know the cert (which are more or less public) and doesn't prove ownership of the underlying private key.
Since the middleware isn't the one managing the TLS connection, we already have to rely on whatever is managing the TLS connection to verify & pass it down into the Rack environment safely. Verifying it in the middleware simply proves you know the cert (which are more or less public) and doesn't prove ownership of the underlying private key.