PrivateCredentialPermission, when created using it's public constructor, behaves as per the expected Permission api, however instances created by the Java runtime, truncate Principal information from the getName() method. This work around ensures that River's Policy provider behaves as expected.
river/jtsk/trunk/src/org/apache/river/api/security/PermissionComparator.java