There have been several attempts to reason about computer security by introducing the concept of “Principal”. The concept is supposed to match the intuitive idea of “On whose behalf is this action being taken?”. Thus if I sit at a terminal and ask a data base system for some information I will be starting one program directly but many more indirectly. In such cases the idea is that I am the principal whose credentials must be checked.

The idea of principal has not reached official status that I am aware of probably because its flaws emerge as you try to argue using the concept.

The idea of principal being important seems to assume that all of the programs are doing just exactly what the initiator (principal?) wants them to do. When the intentions of the various programmers are considered, these security arguments dissolve in a mist. When I run a program, it does what the author wants, subject only to the authority that I have managed to limit it to. If the program author is competent, ethical and we understand each other, it does what I want too. Curiously, Netscape, perhaps recognizing this point, uses “Principal” to refer to a program loaded from a remote site. Our kind of computer security is mainly concerned with what happens when software doesn’t do what the invoker wants thru incompetence, malice or misunderstanding.

Markm’s history of Java security is very interesting.