Table of Contents
If you ended up on this page, you most likely clicked the "Issuer statement" button, from a certificate that was labelled something like
USB\VID_... (libwdi autogenerated), and which you found installed as a Trusted Root Certification Authority or Trusted Publisher on your machine.
If so, you may be wondering what these certificates are for, and how they got installed onto your system.
This Certification Practice Statement attempts to answer these questions.
The certificates are generated by libwdi, which is a library aiming at facilitating the installation of USB drivers on Windows. They are being installed to the Trusted Root Certification Authorities and Trusted Publishers system stores as these stores are used in the validation of driver packages created by libwdi based applications, to avoid prompts such as following, from appearing during a driver installation:
The reason libwdi attempts to remove these prompts is because they serve little legitimate purpose and are more of an annoyance than anything else for end users. As a matter of fact, a prompt like the one above will appear even if you use Microsoft's own WinUSB driver files, to install a generic USB device, and this despite the fact that all the WinUSB driver files are digitally signed by Microsoft. Therefore, on Vista and later, you end up in the ridiculous situation where even a driver package, that only contains Microsoft certified binaries, is flagged by Microsoft as something that could be harmful.
Because libwdi expects prompts such as the one above to be confusing to end-users, it does take steps to ensure that, when installing a generic driver that can be trusted (WinUSB, libusb0 or libusbK, since they are all digitally signed with a Microsoft Authenticode digital signature and come from a reputable source), the security warning does not occur. In order to do so however, a libwdi based application needs to install an auto-generated certificate for each device, and this is the reason why you find these auto-generated certificates in your machine's certificate stores.
As mentioned above, the certificates are generated by libwdi, but libwdi is only a library, which may be used by a whole range of applications that require generic access to an USB device. As such, it is impossible for us to list the name of all the applications that may install the USB\VID_... certificates. Our current knowledge of the most common libwdi-based applications likely to install such certificates include:
We did consider prompting end-users at least once, before installing the certificates, but we decided not to after considering that libwdi would end up being used by people who have no idea about PKI or certificates, and may not understand the choices being presented to them.
While it is true that, in most situations, an application should never go around installing trusted certificates without asking the user, because this may leave somebody else with the ability to sign malicious trusted binary packages, we consider that the certificates from libwdi are a special case because:
Finally, because the certificates can only be installed from an application running in elevated mode, which means that the end-user first has to indicate that he or she trusts the application operation, we consider that the user also provides consent for the installation of certificates in the trusted stores, which is one of the operations the application needs to perform to ensure ease of use. As you can see, we have also made sure that our Certification Practice Statement (this page) is accessible from just a click when viewing the certificates, to be as open as possible about our installation process.
If you find that you no longer plan to use the USB device the certificates were attached to, you can easily delete them, through one of the following methods. Note however that, because they are installed into the system rather than the user stores, a certificate management application may have to run in elevated mode to be able to perform deletion.
USB\VID_...certificate you want to delete and click the 'Remove' button
USB\VID_...certificate you want to delete, and select 'Delete'
Here is how the signing process of a driver package occurs in a libwdi based application:
SelfSignFile()function calls from
Last edited by pbatard,