The actual Internet-Draft: <a href="http://tack.io/draft.html" rel="nofollow">http://tack.io/draft.html</a><p>Unlike Ars, this has the information you need. Each server that implements this TACK draft has a TACK key at any given time, as well as their usual TLS key. Conforming clients get sorta-ssh-like key security:<p>"3.2. Pin life cycle<p>A TACK client maintains a store of pins for verifying TLS connections. Pins associate a hostname and a TACK key. When a client sees a new hostname and TACK key combination, an inactive pin is created. Every subsequent time the client sees the same pin, the pin is "activated" for a period equal to the timespan between the first time the pin was seen and the most recent time, up to a maximum period of 30 days."