[class4behavior]

No third party signed their certificates. Just a contracted employee who worked for Tesonet typed in his company name instead of ProtonVPN. That's just the Android keystore, nothing else. Google supports keystore rotation only starting with Android 9.

[protonmail]

It's actually not even a contracted employee actually. It was a Proton employee who in 2016 was getting payroll through another company before we had our own corporate entity. Keystore rotation is still not yet available yet in Android, so the old key (which we solely control) can't be changed or modified. Android actually also hashes with the certificate metadata so even that can't be edited separately.

[soulofmischief]

On principle I am not impressed with what happened and I think it's very sloppy. After the Lavabit fiasco we have to be extra scrutinuous about the leadership in privacy-oriented companies. That said, I still have a few accounts with Protonmail and I think the service itself is pretty good.