The relevant bit of information you're looking for is this part of the standard:
"Sharing pin information:
It is possible for a client to maintain a pin store based entirely on its own TLS connections. However, such a client runs the risk of creating incorrect pins, failing to keep its pins active, or failing to receive min_generation updates. Clients are advised to make use of 3rd-party trust infrastructure so that pin data can be aggregated and shared. This will require additional protocols outside the scope of this document."
All that TACK does on its own without an external "trusted source" for pinned keys is provide a mechanism for a client to ask a site "Do you have a pinnable key?" and then compare / track that over time to determine if the TLS connection has changed vs. what was expected.
As a hypothetical, if your client starts with zero knowledge of a site, the best TACK can do is tell you, over time, "Yes, this is the same TLS key." It cannot, on its own, tell you "You should trust this key." It simply tells you "You can trust this connection has/hasn't changed" and "This site would like to you consider this key pinned".
The part where it removes the dependency on a CA is where the standard says that a client may validate the signature chain of a pinned key but that it is not required to do so.
Chrome pins certain keys from Google and a few other third parties in the client itself. The TACK proposal basically adds a mechanism for dynamic pinning with an optional (and recommended) additional mechanism for gathering trusted pinned certificate lists (without specifying how to do this part).
Ah, thanks. Tack isn't a replacement for (or comparable to) Convergence, as the latter also tells you that you can trust a site, since its key has been the same for X months, even if you've never seen it before.
Unfortunately, Convergence has the disadvantage of relying on central servers, which have to be maintained by someone.
"Sharing pin information:
It is possible for a client to maintain a pin store based entirely on its own TLS connections. However, such a client runs the risk of creating incorrect pins, failing to keep its pins active, or failing to receive min_generation updates. Clients are advised to make use of 3rd-party trust infrastructure so that pin data can be aggregated and shared. This will require additional protocols outside the scope of this document."
All that TACK does on its own without an external "trusted source" for pinned keys is provide a mechanism for a client to ask a site "Do you have a pinnable key?" and then compare / track that over time to determine if the TLS connection has changed vs. what was expected.
As a hypothetical, if your client starts with zero knowledge of a site, the best TACK can do is tell you, over time, "Yes, this is the same TLS key." It cannot, on its own, tell you "You should trust this key." It simply tells you "You can trust this connection has/hasn't changed" and "This site would like to you consider this key pinned".
The part where it removes the dependency on a CA is where the standard says that a client may validate the signature chain of a pinned key but that it is not required to do so.
Chrome pins certain keys from Google and a few other third parties in the client itself. The TACK proposal basically adds a mechanism for dynamic pinning with an optional (and recommended) additional mechanism for gathering trusted pinned certificate lists (without specifying how to do this part).