I'm reading about Extended Validation (EV) certificates and have a few questions. From what I understand, EV allows domain owners to pay extra for a especially trusted certificate (that the browser will honor with special display properties) and it requires CAs to do extra steps to verify that the issued certificates are valid. The Microsoft documentation says that domain administrators can add certificates to Internet Explorer that they would like to be viewed as EV (useful for internal applications). My question is, if they can manipulate the EV list in Internet Explorer, what is stopping my domain administrator from doing the same thing as These guys and buying a subordinate root certificate for some outside site and adding it to my IE browser as an EV certificate?
Second question: In Firefox, for example, the list of certificates with EV status are "embedded" in the browser. If I do a custom build of Firefox, can I manipulate this embedded list?