When did development on various TLS versions begin?
Tldr
This is what the little research I did was able to find. Most of these dates are as you can read in the longer version, based on the first submitted draft of the respective protocols and not the first time they've been talked about. I hope this might help in your work anyway, and that it might help when doing further research.
- SSLv1 - November/December 1993.
- SSLv2 - At the end of year 1994, before November 29.
- SSLv3 - 5. December 1995.
- TLS1.0 -
26. NovemberMay 1996. - TLS1.1 - 19. February 2002.
- TLS1.2 - February 2006.
- TLS1.3 - 17. April 2014.
This is by no means a complete and "100%" list, and I hope someone wants to take the little research I've done and further expand on it.
The longer, more historical version
AS StackzOfZtuff also noted, the IETF Datatracker is a valuable tool for digging backwards in the history of RFCs, and will be a nice companion for the rest of your digging.
Netscape
SSLv1
Netscape Communications started to develop the SSL protocol soon after the National Center for Supercomputing Applications (NCSA) released Mosaic 1.0 - the first popular Web browser - in 1993. Eight months later, in the middle of 1994, Netscape Communications already completed the design for SSL version 1 (SSL 1.0)
SSL and TLS: Theory and Practice by Rolf Oppliger
Version 1 of Mosaic was released for the Windows platform November 11, 1993. (In the beginning there was NCSA Mosaic....). We could then guess that SSLv1 was done around July 1995.
Version 1 was never released publicly. Rolf Oppliger tells the tale why in SSL and TLS: Theory and Practice:
[SSL v1] circulated only internally (i.e., inside Netscape Communications), since it had several shortcomings and flaws. For example, it didn't provide data integrity protection. In combination with the use of the stream cipher RC4 for data encryption, this allowed an adversary to make predictable changes to the plaintext message. Also, SSL 1.0 did not use sequence numbers, so it was vulnerable to replay attacks. Later on, the designers of SSL 1.0 added sequence numbers and checksums, but still used an overly simple cyclic redundancy check (CRC) instead of a cryptographically strong hash function that is one-way and collision-resistant.
SSLv2 (Also known as SSL 0.2)
Netscape Communications came up with SSL Version 2. (SSL 2.0) at the end of 1994, to resolve the problems mentioned with SSL 1. SSL and TLS: Theory and Practice by Rolf Oppliger
tools.ietf.org/html/draft-hickman-netscape-ssl-00.txt
There is a mirror of the SSL 2.0 draft located in Mozilla's archives, but there is no date when the draft was orignally started or submitted, only when it was revised.
The spec got revised a couple of times:
- November 29, 1994
- December 22, 1994
- January 17, 1995
- January 24, 1995
- February 9, 1995
Funfact:
Both SSL2 and SSL3 have 16-bit (two-byte) version number fields. SSL2 interprets this as a single 16-bit integer, and the official number is 2, e.g. 0x0002. SSL3 interprets two-byte version numbers as a one byte "major" number and a one byte "minor" (or fractional) number. So the value 0x0002 is interpret by SSL3 as version 0.2, not 2.0. http://www-archive.mozilla.org/projects/security/pki/nss/ssl/
SSLv3
SSLv3 was according to this draft first submitted to IETF 5. December 1995. draft-freier-ssl-version3-00.
IETF
TLS 1.0
The first TLS 1.0 draft was written in November 26, 1996 according to draft-ietf-tls-protocol-00.txt.
[edit 14:22 5/7/2015] As commented by @user23127, development of TLS 1.0 was started in May of 1996. "SSL and TLS: Designing and Building Secure Systems" by Rescorla, Eric, page 49, section 2.6
TLS 1.1
The earliest document I can find for TLS 1.1 is the [draft-ietf-tls-rfc2246-bis-00](https://tools.ietf.org/id/draft-ietf-tls-rfc2246-bis-00.txt https://datatracker.ietf.org/doc/rfc4346/history/). Uploaded to IETF 19. February 2002 . Note that the header of that documents says:
The TLS Protocol
Version 1.0
They first added version 1.1 to the draft in the second revision published 6. October 2002: draft-ietf-tls-rfc2246-bis-02
TLS 1.2
The draft draft-ietf-tls-rfc4346-bis-00 states February 2006.
TLS 1.3
The earliest draft on IETF is this one: draft-ietf-tls-tls13-00.txt uploaded 17 April 2014. This matches the first commit on the GitHub repo tls13-spec that you linked to.
The IETF has a data tracker for its RFCs.
This means that you can flesh out the development timeline by adding the various drafts for each RFC. And you can narrow down dates to the date of the first published draft.
What this doesn't tell you when development for the first submitted draft of each RFC started.
Also the "SSL" named protocols were not developed through the RFC process.
Datatrackers
- https://datatracker.ietf.org/doc/rfc6101/history/, SSL3.0. Published as a historic RFC much later than the actual development.
- https://datatracker.ietf.org/doc/rfc2246/history/, TLS 1.0
- https://datatracker.ietf.org/doc/rfc4346/history/, TLS 1.1
- https://datatracker.ietf.org/doc/rfc5246/history/, TLS 1.2
- https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/history/, TLS 1.3
Partial timeline
- 1996-12-03, TLS 1.0, first draft (of 6)
- 1999-01-01, TLS 1.0, RFC published
- 2002-02-19, TLS 1.1, first draft (of 13)
- 2006-03-02, TLS 1.2, first draft (of 10)
- 2006-04-26, TLS 1.1, RFC published
- 2008-08-15, TLS 1.2, RFC published
- 2014-04-17, TLS 1.3, first draft
Further reading
Ivan Ristić, Bulletproof SSL and TLS, introductory chapter is free online. Section "Protocol History" on page 3.
- And especially this quote:
For a much more detailed history of the early years of the SSL protocol, I recommend Eric Rescorla’s book SSL and TLS: Designing and Building Secure Systems (Addison-Wesley, 2001), pages 47–51.
- And especially this quote:
Nice scrollable timeline here: Ivan Ristić, SSL/TLS and PKI History