Am 06.01.14 17:26, schrieb Michael Urman:
> Here's some more guesswork. Does it seem possible that msiexec is
> trying to verify the revocation status of the certificate used to sign
> the python .msi file? Per
> http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx
> it looks like crl.microsoft.com is the host; this is hosted on akamai:
>    crl.microsoft.com is an alias for crl.www.ms.akadns.net.
>    crl.www.ms.akadns.net is an alias for a1363.g.akamai.net.

I think that could be close. The MSI file has two signatures in it: the
PSF code signing signature, and a Verisign timestamping signature.

For the PSF certificate, the CRL is at csc3-2010-crl.verisign.com,
which is (here) a CNAME for crl.ws.symantec.com.edgekey.net, which
in turn is a CNAME for e6845.ce.akamaiedge.net.

The timestamping signature has its CRL at ts-crl.ws.symantec.com,
which is a CNAME for crl.ws.symantec.com.edgekey.net again.

So the most plausible reason is indeed that it tries to download
CRLs, though not Microsoft ones, but Verisign/Symantic ones.

Regards,
Martin


_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to