The idea of principal has not reached official status that I am aware of probably because its flaws emerge as you try to argue using the concept.
The idea of principal being important seems to assume that all of the programs are doing just exactly what the initiator (principal?) wants them to do. When the intentions of the various programmers are considered, these security arguments dissolve in a mist. When I run a program, it does what the author wants, subject only to the authority that I have managed to limit it to. If the program author is competent, ethical and we understand each other, it does what I want too. Curiously, Netscape, perhaps recognizing this point, uses “Principal” to refer to a program loaded from a remote site. Our kind of computer security is mainly concerned with what happens when software doesn’t do what the invoker wants thru incompetence, malice or misunderstanding.
Markm’s history of Java security is very interesting.