I don't know what kind of damage you can cause with this information, but I do think that posting this publicly was pretty unethical. You should have contacted Yahoo and then disclosed the information after.

EDIT: And here comes the downvotes. If you disagree with what I said then you really should post a response because you're preventing me from understanding why I might be wrong. If I knew your house door was unlocked, would it be okay for me to tell everyone in the world before I let you know?

He caused no damage whatsoever.

Yahoo caused the damage the second they put it up for download and someone downloaded it, at that point the cat was out of the bag and the certificate compromised.

When dealing with certificate signing and compromised private certs "Maybe no one noticed" is not a good enough response.

(I am assuming he used various methods of contacting Yahoo directly as well as publicly calling them out of course.)

EDIT: Thinking about it he MIGHT have caused damage because maybe no one else may have noticed before yahoo got the cert revoked, but that chances that no one else (blackhats for example) noticing before the cert was revoked are very small in my opinion.

I agree with you. I think it's unethical not to publicly announce this one. I understand that some bugs may be best treated in private, but compromised certificates can cause real havoc.

Ethics: +1

Well done Yahoo, is it a cert they use on all their products / sites or just this one?

Wondering about the pain the revocation is gonna cause.

Has anybody confirmed that this works?