Ok, just browsed through the source code for wp-admin/setup-config.php
🙂
Apparently the distant call is made to generate SALT secret keys:
$secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
Calling this URL generates code like this:
define('AUTH_KEY', '5.p7N9J5mEb++TB9=X[#mD,97,*L.2&j `]+9(igm;.G8z#zCx{JcocPkoqJW_l*');
define('SECURE_AUTH_KEY', 'y)pV:td0nD>Vk.WQY/_jz>B.fW+6-)JXQB+o--c@+LfHdRlJUmq~{CK%8(RI}/:(');
define('LOGGED_IN_KEY', '~3:FIV(b+0YB3zh-H+}X$3Z0^6J|5R0G/?((#iQ<zR5R.&`og[.)*l0O/R;|fkZH');
define('NONCE_KEY', '3*{YXmsB`qHI^:C7R<P6RfD=+ }.aD+[1 8?]Z `y$Qs!B{;WBa_bA4)^v7fTc*t');
define('AUTH_SALT', 'iKqrV-wj-Tul9Hf/73.^k,X9:}44X>Md|N7Wcis,t~{;z5gkAJ+_#@+`K*<(,$>}');
define('SECURE_AUTH_SALT', '|IHFZzBK~;O|^+}btQ|XD2D+y.|tIG>+@%#7Au%HScaX0zgOf_3}B299I;miqoz:');
define('LOGGED_IN_SALT', '} >Bpcr|jIZ6~88isD ^!f<a>J7MKtqhi]%)-)6Cpu-@&7L;VDo?O+J+!a^>n(K8');
define('NONCE_SALT', '5QW_oa0[P._!IVGe+OGHkO?i+U|5k6Fr-O;,-Hr@|<f!}i%iZVK2[#My-ld|4]8M');
I’m not sure why they don’t generate these keys locally, though. Security reasons?