If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
I can explain (and have explained in this forum) the technical aspect of how the MIT PGP site works. I was not involved in the law aspect of the debate, so I cannot answer legal questions. There is a two-tiered protection scheme. The first scheme is that you need to know the secret directory where PGP resides. This directory changes location every 30 minutes, so any attacker has a 30 minute window in which a name will be valid. Not 30 minutes from the time they receive it, 30 minutes from the time the directory last changed names. The second scheme involves using reverse DNS lookups and comparing the DNS hostname to a list of know US-valid hostnames/domains. An attacker needs to be able to circumvent both schemes at once in order to get to PGP. I can go into more detail if people want, or I can take this offline if people prefer. -derek