The relevant bit of information you're looking for is this part of the standard:
"Sharing pin information:
It is possible for a client to maintain a pin store based entirely on its own TLS connections. However, such a client runs the risk of creating incorrect pins, failing to keep its pins active, or failing to receive min_generation updates. Clients are advised to make use of 3rd-party trust infrastructure so that pin data can be aggregated and shared. This will require additional protocols outside the scope of this document."
All that TACK does on its own without an external "trusted source" for pinned keys is provide a mechanism for a client to ask a site "Do you have a pinnable key?" and then compare / track that over time to determine if the TLS connection has changed vs. what was expected.
As a hypothetical, if your client starts with zero knowledge of a site, the best TACK can do is tell you, over time, "Yes, this is the same TLS key." It cannot, on its own, tell you "You should trust this key." It simply tells you "You can trust this connection has/hasn't changed" and "This site would like to you consider this key pinned".
The part where it removes the dependency on a CA is where the standard says that a client may validate the signature chain of a pinned key but that it is not required to do so.
Chrome pins certain keys from Google and a few other third parties in the client itself. The TACK proposal basically adds a mechanism for dynamic pinning with an optional (and recommended) additional mechanism for gathering trusted pinned certificate lists (without specifying how to do this part).
Ah, thanks. Tack isn't a replacement for (or comparable to) Convergence, as the latter also tells you that you can trust a site, since its key has been the same for X months, even if you've never seen it before.
Unfortunately, Convergence has the disadvantage of relying on central servers, which have to be maintained by someone.
Where Convergence is about changing the way the TLS trust infrastructure works, TACK is about reducing the exposure that a client has to that trust infrastructure.
Currently, your browser is dependent on the CA system for every TLS connection that it makes to a server. The hope for TACK is to reduce your browser's dependence on the CA system to only the first TLS connection that it makes to a server.
At that point, not only do breaches in your trust infrastructure do less damage, but it hopefully becomes easier to solve the problem of transforming the way that trust infrastructure works. This is why most development on Convergence is blocking on TACK.
Oh, I didn't realise TACK was your proposal. Now I'm wondering why it wasn't included in TLS in the first place. It sounds very reasonable, but the more valuable (to me, at least) functionality is the ability to have even self-signed certificates be trusted (i.e. what Convergence does). Why is Convergence blocking on TACK, by the way? It sounds like the two would be complementary. Is it just the notary load that is generated when looking up the certificate on every request? Can't that just be cached?
"Sharing pin information:
It is possible for a client to maintain a pin store based entirely on its own TLS connections. However, such a client runs the risk of creating incorrect pins, failing to keep its pins active, or failing to receive min_generation updates. Clients are advised to make use of 3rd-party trust infrastructure so that pin data can be aggregated and shared. This will require additional protocols outside the scope of this document."
All that TACK does on its own without an external "trusted source" for pinned keys is provide a mechanism for a client to ask a site "Do you have a pinnable key?" and then compare / track that over time to determine if the TLS connection has changed vs. what was expected.
As a hypothetical, if your client starts with zero knowledge of a site, the best TACK can do is tell you, over time, "Yes, this is the same TLS key." It cannot, on its own, tell you "You should trust this key." It simply tells you "You can trust this connection has/hasn't changed" and "This site would like to you consider this key pinned".
The part where it removes the dependency on a CA is where the standard says that a client may validate the signature chain of a pinned key but that it is not required to do so.
Chrome pins certain keys from Google and a few other third parties in the client itself. The TACK proposal basically adds a mechanism for dynamic pinning with an optional (and recommended) additional mechanism for gathering trusted pinned certificate lists (without specifying how to do this part).