diff --git a/acme/api/handler.go b/acme/api/handler.go
index d6153184..09ca03a3 100644
--- a/acme/api/handler.go
+++ b/acme/api/handler.go
@@ -101,16 +101,16 @@ func (h *Handler) Route(r api.Router) {
 	r.MethodFunc("HEAD", getPath(DirectoryLinkType, "{provisionerID}"), h.baseURLFromRequest(h.lookupProvisioner(h.GetDirectory)))
 
 	validatingMiddleware := func(next nextHTTP) nextHTTP {
-		return h.baseURLFromRequest(h.lookupProvisioner(h.addNonce(h.addDirLink(h.verifyContentType(h.parseJWS(next))))))
+		return h.baseURLFromRequest(h.lookupProvisioner(h.addNonce(h.addDirLink(h.verifyContentType(h.parseJWS(h.validateJWS(next)))))))
 	}
 	extractPayloadByJWK := func(next nextHTTP) nextHTTP {
-		return validatingMiddleware(h.validateJWS(h.extractJWK(h.verifyAndExtractJWSPayload(next))))
+		return validatingMiddleware(h.extractJWK(h.verifyAndExtractJWSPayload(next)))
 	}
 	extractPayloadByKid := func(next nextHTTP) nextHTTP {
-		return validatingMiddleware(h.validateJWS(h.lookupJWK(h.verifyAndExtractJWSPayload(next))))
+		return validatingMiddleware(h.lookupJWK(h.verifyAndExtractJWSPayload(next)))
 	}
 	extractPayloadByKidOrJWK := func(next nextHTTP) nextHTTP {
-		return validatingMiddleware(h.validateJWS(h.extractOrLookupJWK(h.verifyAndExtractJWSPayload(next))))
+		return validatingMiddleware(h.extractOrLookupJWK(h.verifyAndExtractJWSPayload(next)))
 	}
 
 	r.MethodFunc("POST", getPath(NewAccountLinkType, "{provisionerID}"), extractPayloadByJWK(h.NewAccount))
diff --git a/acme/api/revoke.go b/acme/api/revoke.go
index 209bc204..4d31c7be 100644
--- a/acme/api/revoke.go
+++ b/acme/api/revoke.go
@@ -205,7 +205,7 @@ func identifierKey(identifier acme.Identifier) string {
 }
 
 // extractIdentifiers extracts ACME identifiers from an x509 certificate and
-// creates a map from them. The map ensures that double SANs are deduplicated.
+// creates a map from them. The map ensures that duplicate SANs are deduplicated.
 // The Subject CommonName is included, because RFC8555 7.4 states that DNS
 // identifiers can come from either the CommonName or a DNS SAN or both. When
 // authorizing issuance, the DNS identifier must be in the request and will be
@@ -227,7 +227,6 @@ func extractIdentifiers(cert *x509.Certificate) map[string]acme.Identifier {
 		}
 		result[identifierKey(identifier)] = identifier
 	}
-	// TODO(hs): should we include the CommonName or not?
 	if cert.Subject.CommonName != "" {
 		identifier := acme.Identifier{
 			// assuming only DNS can be in Common Name (RFC8555, 7.4); RFC8738
@@ -302,7 +301,7 @@ func validateReasonCode(reasonCode *int) *acme.Error {
 	return nil
 }
 
-// revokeOptions determines the the RevokeOptions for the Authority to use in revocation
+// revokeOptions determines the RevokeOptions for the Authority to use in revocation
 func revokeOptions(serial string, certToBeRevoked *x509.Certificate, reasonCode *int) *authority.RevokeOptions {
 	opts := &authority.RevokeOptions{
 		Serial: serial,