We are using verisign's time stamp service currently, but every so often the time stamp server becomes unavailable - mostly due to our ISP failing.
We now timestamp everything we build, even simple dev builds as we had a lot of trouble with Vista not running the unsigned/unstamped files properly.
Can we setup a time stamp service to do the same? I've looked around and not really found any information at my current level of knowledge that tells me this can or cannot be done.
I've been looking for the same thing and so far we are using a Thawte code signing certificate with free VeriSign timestamping. The Trusted timestamping article on Wikipedia has 2 good images of how it works and some external links at the bottom, including links to the RFC and ANSI ASC. One of the links goes to digistamp.com, where they offer a high-volume service and also sell a SecureTime server and license. The current list price for this is $30,000 plus $4,500 annual maintenance and audit, way more than we would pay.
One thing that I still am not clear about is how frequently the timestamping service needs to be contacted. If it only needs to contact the service once during signing time, then that's okay, but if the service needs to be contacted every time the certificate is accessed it would be better to have our own. I haven't seen anything like this in the open source community.