Keep in mind that this is roughly my personal opinion only, and to make matters worse I have no clue at all about the book you referred to
I can say that I've been using PGP since 1998 or something. I'm not trying to claim that I know everything, but I have seen and experienced a lot
I made my first keypair today. Before I send my public key to a keyserver, I'd like to feel more confident that it makes sense and reflects modern best practices.
Would an OpenPGP old hand be willing to take a gander at my public key, and offer guidance?
So, first thing, I wouldn't use a key which has an very short expiration date. Yours is only valid for one year, and that's really not much time. Of course this heavily depends on how you want to use your key, as is the case with most GPG related things.
But common practice is basically to set up a key which is valid for several years if not simply forever. If you want to build up a web of trust then that will take time. It would be annoying if you'd have to start all over again after one year or so.
Theoretical situation: 11,5 months from now you've noticed that I'm a GPG user and for whatever reason we swap keys. I've been a little picky with "just" trusting yours so we decided to share both e-mail as well as phone numbers, we contacted each other and that made me decide to sign our key.
And then your key expires. So one month afterwards you come knocking at my doorstep again. "Can we swap again?". No offense intended, but do you really think I would still consider you reliable if I had just went over all the trouble to verify and eventually sign your key, and 1 month later you want me to do it all over again? Errrr,
no ;-)
So... Once you've set up a longer lasting key also be sure to create a so called revocation key,
and keep that secured! You'd be looking at (for example):
gpg -o revoke.asc --gen-revoke <your name>
. The reason why you need to keep this highly secured is because anyone would be able to revoke your key using this bit of code.
That may sound a bit odd at first (why take such risks?) but just think of this as your last line of defense. If, for whatever reason, your key becomes inaccessible to you (because you forgot the password for example) then you'd normally have an issue on your hands. In order to revoke it you'd need the password, but the reason you'd want to revoke it in the first place is the loss of your password. That's where the revocation key comes into play.
Next, the photo... Adding one is not bad practice (not at all) but it can limit the amount of keyservers you can use. Not every keyserver accepts such keys, which can seriously limit your choices. This doesn't have to be an issue if you simply pick a specific keyserver and tell everyone you work with to do the same thing. Easy.
Yet it can become tricky if your goal is to be as much accessible as possible. If that's the main goal then I personally wouldn't bother with a picture at all. Chances are high that many GPG users out there wouldn't even be able to access / display it in the first place, depending where they'd use and/or store it of course. Still, generally speaking a picture is more than often not much more but extra weight. Your key gets larger and basically for little reason.
Hmm, tips and tricks... Some random thoughts...
- If you plan on being serious about trust and all that then honor your chain of trust and don't blindly slap an ultimate trust on every random key you get. The web of trust was made for a reason.
- Always keep in mind that tools don't generate extra security, it's users who do.
- Think it over before you upload a key to a keyserver. Once it has been uploaded then it's pretty much impossible to ever remove it again. Most keyservers will even retain keys after they have long been expired and/or been revoked.
- Never assume that everyone else can do the same stuff as you can (or as easily). One example being is of course the picture which not every GPG client software can manage, but there are also users out there who would consider it a sin to "simply" delete a key (or (key) signature). Personally I don't always agree with that line of reasoning but... keep point 2 in mind. If that works for them...
- Back up your keys, and keep that somewhere safe.
From the back of my mind here... Hope this can help.