If you are volunteering to verify callsigns, free, just as the ARRL does, then I will have no problem adding your Certificate Authority to my configuration. This scheme is very much capable of using multiple authorities for authentication. The ARRL just happens to be the one who already has a large, trusted install base and has agreed to let us use their service in this manner.
Anybody who can install this:
https://packages.debian.org/search?searchon=contents&keywords=aprspass&a...
or something similar.
can generate passcodes for any valid or invalid callsign...
There is no security in the APRS passcode, the passcode is derivated from the callsign itself by a static algorithm.
The algorithm itself was kept somewhat in the dark, but it is no secret.
APRS passcodes must be considered public knowledge.
73 de Marc