I'm interested in signing my Silverlight XAP with a self-signed certificate, so it can auto-update. I haven't tried yet, but figure I can create a certificate easily with this question/answer I found on StackOverflow.
But it's not clear to me what the timestamp server does and can I use a timestamp server from a company (for example, the one from Comodo), even if I didn't buy a certificate from them, but self-signed my certificate?
Putting bits and pieces together I found the following answer by BruceCran:
Any timestamp server can be used: I recently switched from my issuer's timestamp server to Verisign since I found that GlobalSign's server was unreliable. Furthermore, Thawte don't run their own timestamp server but recommend people to use Verisign's.
So, yes I assume I can use any timestamp server.
As for what a timestamp server does, it is explained by Comodo:
Since key pairs are based on mathematical relationships that can be cracked with a great deal of time and effort, it is a well-established security principle that a digital certificate should expire. Your Digital ID will expire one year after it is issued. However, most software is intended to have a lifetime of longer than one year. To avoid having to resign software every time your certificate expires, companies have introduced time stamping services. When you sign code, a hash of your code will be sent to Certification Authority to be time stamped. Once your software has been time stamped, you will not need to worry about resigning code when your Digital ID expires. Microsoft Authenticode allows you to time stamp your signed code so that signatures will not expire when your certificate does.
So your certificate expires, but your code doesn't.
