I agree with you on option 3. I dont think it is reasonable for users to expose a security hole on their intranets just because of a single component. As far as I can tell, this does seem to be default component behavior for the .NET framework. The disabling crl checking from IE was a way to test whether this was the problem on your end.
The reason why I was not seeing the delay was that I was totally disconnected from the network, so I was never connecting to thawte in the first place, hence the faster timeouts. In your case, you do send packets to thawte, so the frameworks waits longer to recieve a reply. But it never does. So I was finally able to reproduce the problem you were seeing by using a software firewall.
According to what I saw, the problem comes down to making sure you have 2 certificates from thawte showing up under the "trusted root certificate authority" tab in the certificate manager. Usually this gets downloaded for you automatically, but if you have certain ports blocked, those certificates are never addded.
So it seems that the following is happening:
1. The .NET app is launched and the framework checks the digital signature and sees that its signed by thawte
2. It needs to verify that the signiture provider is valid and checks to see whether thawte is one of the trusted root certificate authority (CA)
3. If the certificate is not on the system, then it tries to check the CA online.
4. If it can't connect, it launches the app anyway, only after a very very long (non-configurable?) delay.
I'm still not sure why exactly the framework is trying to verify the components signature at runtime, even though its on a local machine with full permissions. It's something we're investigating.
Here are the certificates that I traced it down to. You can see if you already have these on your system. The file forward is PKS #7. These are titled "Thawte Premium Server CA" and "Thawte Timestamping CA". You can see the certificates you have on your system by going to IE >> Tools >> Internet Options >> Content and click on the certificates button. Go to the "Trusted Root Certificate Authority" tab and see if you have any certificates by that name. Other you can import these certificates by importing the attached file. You can remove the .txt extention at the end of the attachment. I cant seem to post files with a .p7b extension.
Is it ok if I contact you directly? It might help speed up the investigation process. Then I could post the investigation results on the forum for everyone to view.
Try importing these certificates (if you dont already have them) and let me know what you find. And I guess you should re-enable the option to check crl's in IE.
Let me know what you find.
Hope this helps. Thanks for helping us investigate this.
Bilal Durrani
NI