Assuming your code-signing tool is secure (e.g., does not suffer from buffer overflow exploits and the like), is there any reason to be concerned if a time-stamping service is not running over SSL? Obviously, a MITM attack could do slightly annoying things (e.g., provide a bad certificate), but SSL doesn't protect you from such attacks, since a MITM can already cause an SSL timestamp to fail (by blocking the request). Technically, a MITM could also provide a valid certificate under the MITM's control (allowing them to revoke it later).
Are there any realistic concerns when using a timestamping service over HTTP, rather than HTTPS?